Opened 16 months ago

Closed 16 months ago

Last modified 10 months ago

#879 closed defect (fixed)

WebBasket: User input has to be better washed and sanitized

Reported by: nkasioum Owned by: nkasioum
Priority: minor Milestone:
Component: WebBasket Version:
Keywords: Cc:

Description

User input should be carefully washed and sanitized before used and displayed to avoid unexpected behavior and exploits. The same goes for DB functions' output.

Change History (6)

comment:1 Changed 16 months ago by nkasioum

  • Status changed from new to in_merge

Fixed in:

comment:2 Changed 16 months ago by nkasioum

  • Summary changed from WebBasket: user input has to be better washed and sanitized to WebBasket: User input has to be better washed and sanitized

comment:3 Changed 16 months ago by Nikolaos Kasioumis <nikolaos.kasioumis@…>

  • Resolution set to fixed
  • Status changed from in_merge to closed

In [3b12ca392b4ab70b9b3c8d997fcfbf1bcab7a12c]:

WebBasket: many small fixes and improvements

  • Replaces various dblayer functions that would return faulty values due to GROUP_CONCAT with improved versions of them. Improves handling and parsing of the values returned by the dblayer functions to create the main WebBasket interface. Removes all calls of the eval() function and replaces them with safer functions. Sanitizes user input coming fromthrough GET and POST variables. Sanitizes special HTML characters like '&'. (closes #879)
  • Improves creation of HTML Select form elements to be compatible with all major browsers. (closes #878)

comment:6 Changed 15 months ago by simko

  • Milestone v1.0 deleted

Milestone v1.0 deleted

comment:7 Changed 10 months ago by Nikolaos Kasioumis <nikolaos.kasioumis@…>

In 3b12ca392b4ab70b9b3c8d997fcfbf1bcab7a12c:

WebBasket: many small fixes and improvements

  • Replaces various dblayer functions that would return faulty values due to GROUP_CONCAT with improved versions of them. Improves handling and parsing of the values returned by the dblayer functions to create the main WebBasket interface. Removes all calls of the eval() function and replaces them with safer functions. Sanitizes user input coming fromthrough GET and POST variables. Sanitizes special HTML characters like '&'. (closes #879)
  • Improves creation of HTML Select form elements to be compatible with all major browsers. (closes #878)

comment:8 Changed 10 months ago by Nikolaos Kasioumis <nikolaos.kasioumis@…>

In 3b12ca392b4ab70b9b3c8d997fcfbf1bcab7a12c:

WebBasket: many small fixes and improvements

  • Replaces various dblayer functions that would return faulty values due to GROUP_CONCAT with improved versions of them. Improves handling and parsing of the values returned by the dblayer functions to create the main WebBasket interface. Removes all calls of the eval() function and replaces them with safer functions. Sanitizes user input coming fromthrough GET and POST variables. Sanitizes special HTML characters like '&'. (closes #879)
  • Improves creation of HTML Select form elements to be compatible with all major browsers. (closes #878)
Note: See TracTickets for help on using tickets.