-
- 44 Posts
I, like everyone, have users giving me data through text fields, TinyMCE and the like. I would like to be sure I am protected against "Evil Users" (as opposed to "Good Users"). I would like to do this in a single location (a single code call on the input source). My questions regarding this are:
1) Does modx do this automatically? In reading some of the security articles I thought the answer was "maybe".
2) If modx does not sanitize inputs automatically, is there a piece of code/modx routine I should call on user input?
Thanks in advance
P
-
- 956 Posts
Define user: Web-user or manager-user? i.e. frontend (Jot, eForm) or manager?
Snippets like eForm have some kind of regex validators built-in. I’m not aware of any general all-purpose user-input-cleaner tool though...
It also depends on the actual field / data-type you’re using: max. string-length, integers or strings, plain text only, HTMl allowed yes/no, pseudo tags (ubb)...
If you’re interested mainly in security (XSS attacks, hackers, script kiddies, spammers), there’s lots of advice on the web.
-
- 44 Posts
Thanks for the reply ganeshXL.
With as many snippets and tools as there are in modx, I figured there might be a general purpose call, module, or set of calls to handle the various types of input. I have certainly been trying to educate myself on the common ways of handling this kind of thing. I just didn’t want to write a tool if one already was handy.
P
Look at manager/includes/protect.inc.php -- this is called on all MODx requests and performs basic user input scrubbing in GPC variables. Beyond this basic scrubbing, it depends on what kind of user input you want to allow/reject how you implement additional input sanitization.
-
- 44 Posts
Thanks OpenGeek! I will check it out.
P
-
- 44 Posts
Thanks dev_cw! I will check it out.
P