On 2/28/2016 4:28 AM, Petko Yotov wrote:
No, htmlspecialchars() is not vulnerable per se, what is vulnerable is
that the string you store in a $FmtPV variable will be evaluated and run
by PmWiki as PHP code. So it is a bad idea to store in that variable
things that other people wrote on the wiki or in the web forms, or in
the URL address -- $FmtPV was never intended to be used this way.
Instead of {$PageVar} you can use in your forms {$$RequestVars} for
example in pagelists: these are not vulnerable, you don't need to do
anything. Or, for needs other than pagelists/searches, the recipe
"HttpVariables" provides access to request strings without evaliating them.
Even if you sanitize the stings, a future PHP upgrade may include a new
way to compromize the site. So, don't evaluate random strings. :-)
Ah, so it's the act of storing user input into $FmtPV which is the
problem. This helps clarify the problem. Initially it appeared that
assigning $_REQUEST to any variable was the issue.
_______________________________________________
pmwiki-users mailing list
pmwiki-users@pmichaud.com
http://www.pmichaud.com/mailman/listinfo/pmwiki-users
