• Search for {{ siteName| }}
  • SMS report encoding
  • All consumers of websiteName

Besides Website names, what are the other entities which are stored sanitized?

I expect maybe that many entities will store as sanitize. Fixing this has some risks for XSS we have to careful.

• Also maybe we can remove the makeXssContent() used in tests and make the behavior consistent (ie. sanitize whether we call the API directly in PHP, or via HTTP, or whether we use API\Request object).

@matt If makeXssContent is removed, how do we test for XSS?

I didn't mean to remove the xss test itself but rather I was noting that there is also an inconsistency in the way APIs inputs are (or not) sanitized.
Maybe this is out of scope for this ticket though.

Note: there is another inconsistent sanitization policy in Piwik, see below function:

    /**
     * This function will sanitize or not if it's needed for the specified action type
     *
     * URLs (Page URLs, Downloads, Outlinks) are stored raw (unsanitized)
     * while other action types are stored Sanitized
     *
     * @param $actionType
     * @param $actionString
     * @return string
     */
    private static function normaliseActionString($actionType, $actionString)

and: Action::isActionTypeStoredSanitized

#6714 has been merged into this issue

@mattab hi, as this problem is open for a long time and commonly suffered, when do you plan to fix it?

Due to the complexity of this task and the high risk of introducing security regressions (in particular, XSS), so far we have not been able to work / schedule this project. I would suspect it will take a long time before we can tackle this fully, and likely it will be done step by step over time, plugin by plugin etc. Any contribution will be very welcome

Thanks for creating this issue! We appreciate your input. This issue covers a lot of ground, and it's a bit too broad for us to tackle effectively as is. So, we're going to close it for now.

Instead some issues still opened are: #11786 #21164 #9223