[Piwik-trac] [Piwik] #78: Check that printing GET parameters in the JS code is secure
Piwik
trac at piwik.org
Fri Mar 7 10:38:43 CET 2008
#78: Check that printing GET parameters in the JS code is secure
-----------------------+----------------------------------------------------
Reporter: matt | Owner:
Type: Task | Status: new
Priority: major | Milestone: DVNO
Component: Security | Version:
Resolution: | Keywords:
-----------------------+----------------------------------------------------
Comment (by Draicone):
Just a suggestion - you probably only want to sanitize HTML tags and
quotes. The actual data of the request should be left as is as much as
possible, or at least kept in strings when output to JS.
That said, just about anything can get past a typical filter these days -
have a brief glance through [http://ha.ckers.org/xss.html this cheat sheet
for XSS], it's clearly impractical to protect data against just about
anything. As long as arbitrary JS can't go straight from the URL to the
scripts (unless this is intentional, of course), there really is no cause
for concern.
The htmlspecialchars() in Piwik_Common::getRequestVar() is sufficient, and
maybe an addslashes() somewhere is an option.
--
Ticket URL: <http://dev.piwik.org/trac/ticket/78#comment:3>
Piwik <http://piwik.org>
Piwik, open source web analytics software
More information about the Piwik-trac
mailing list