Escape/sanitize strings on output rather than on input #6714

mnapoli · 2014-11-23T20:23:02Z

Following a discussion about security:

One of the current best practices in Piwik is escape everything on input. But in general, best practices recommend:

filter on input (e.g. cast to an integer if you expect an integer, but don't sanitize strings)
escape on output

e.g. http://blog.ircmaxell.com/2011/03/what-is-security-web-application.html

Problems with the current approach:

escaping on input is done for HTML/XML: that escaping doesn't makes sense for SQL, JavaScript/JSON, … And it needs to be undone for those cases
double escaping issues if we escape on output (e.g. Twig and Angular do that by default)
- Scheduled report name is double encoded #7987, Quotes in goal names are over-escaped #7969, All websites dashboard lists website names double encoded #7806, Special characters in website name not shown correctly #7531, Website name is double encoded in page "No data has been recorded yet" #7528, Truncation of labels on datatables leads to labels changed to '...' #6821, error message in form are html encoded #6722, Bad encoding title in the list #6325, ecommerce orders with double quotes in product name or category name are not tracked #6068, Improvements for custom events in tables like visitor log #5189, Row evolution: Y axis legend is double URL encoded #5009, Apostrpohes (and maybe other special characters) are shown encoded in page tooltip #4749, Ampersand in page title is not displayed as & in Piwik Dashboard Widgets #4709, Fix inconsistent sanitization: sanitize on output rather than input #4231, regression New and edited annotations are URL encoded #3954, "&" characters are transformed to "&" in pagetitles of tracked goals when editing them #3549, Goals Names containing html entities are displayed double encoded in column names #3503, Double encoding for report name #2519, Inline search: & becomes & #2400, Problem with ampersand in Website Chooser #2386, Swedish characters don't show up properly in UI, graphs #974, Update from 2.3 to 2.4 breaks db password #341
strings are stored in database escaped (not as their "real" values)

mattab · 2015-06-01T22:35:53Z

Duplicates #4231

mnapoli · 2015-06-02T08:24:35Z

Oh yes thanks I forgot to close!

mnapoli added Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. c: Platform For Matomo platform changes that aren't impacting any of our APIs but improve the core itself. labels Nov 23, 2014

mattab added this to the Mid term milestone Nov 25, 2014

mattab added the Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change. label Dec 1, 2014

mnapoli mentioned this issue Mar 26, 2015

Special characters in website name not shown correctly #7531

Closed

diosmosis mentioned this issue Mar 27, 2015

Fix double escaping bug #7552

Merged

This was referenced May 28, 2015

Scheduled report name is double encoded #7987

Closed

Fix inconsistent sanitization: sanitize on output rather than input #4231

Closed

mattab closed this as completed Jun 1, 2015

mattab added the duplicate For issues that already existed in our issue tracker and were reported previously. label Jun 2, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Escape/sanitize strings on output rather than on input #6714

Escape/sanitize strings on output rather than on input #6714

mnapoli commented Nov 23, 2014

mattab commented Jun 1, 2015

mnapoli commented Jun 2, 2015

Escape/sanitize strings on output rather than on input #6714

Escape/sanitize strings on output rather than on input #6714

Comments

mnapoli commented Nov 23, 2014

mattab commented Jun 1, 2015

mnapoli commented Jun 2, 2015