Check that printing GET parameters in the JS code is secure #5498
Comments
|
Just a suggestion – you probably only want to sanitize HTML tags and quotes. The actual data of the request should be left as is as much as possible, or at least kept in strings when output to JS. That said, just about anything can get past a typical filter these days – have a brief glance through (ha.ckers.org/xss.html) this cheat sheet for XSS], it’s clearly impractical to protect data against just about anything. As long as arbitrary JS can’t go straight from the URL to the scripts (unless this is intentional, of course), there really is no cause for concern. The htmlspecialchars() in Piwik_Common::getRequestVar() is sufficient, and maybe an addslashes() somewhere is an option. |
|
(In 383) – fix #5498 Thanks for your help on this Draicone. Added addslashes() to the values printed in the JS footer of the datatables |
in [source:/trunk/modules/ViewDataTable.php] method`
getJavascriptVariablesToSet()` we load GET parameters values and print them in the javascript code to “forward” the values to the Javascript logic (used in the Jquery code).
Is this safe? We use`
Piwik_Common::getRequestVar()` to sanitize the value but is it safe enough? Or could some hijacking/xss/etc be possible here?
The text was updated successfully, but these errors were encountered: