Suppose you could use a custom posthook like this which runs htmlentities on all values:
$values = $hook->getValues();
foreach ($values as $key => $value) {
$values[$key] = htmlentities($value, ENT_QUOTES, 'UTF-8');
}
$hook->setValues($values);
It's worthy of a discussion to see what the best way to handle stuff like this is - I wouldn't be opposed to a FormIt property that is enabled by default which runs every input through htmlentities. As far as I know, as long as your page is properly UTF-8 encoded and you use htmlentities as in my example above, you are pretty much safe from XSS.
Right now, I have put the output modifier info all placeholders. I'd like to have a kind of clean solution for further projects, as not all users will test their sites agains security issues like my client does.
So, I'd appreciate a general discussion, as its not my special topic. To be honest, nothing feels like my special topic right now :/
-
- 64 Posts
Hi Guido,
as far as our tests show 'htmlent' is set as standard for all
formit-placeholders.
Using htmlent versus not using html delivers for the following input almost the
same output on reloading a formit-page:
input:
<script>alert('xss')</script> <a href="Test">Test</a>
1. output without htmlent on reloading:
Test
2. with htmlent:
Test
(Between the two tags there are originally 8 space characters. In case 1. the output has spacecharacters in front of 'Test' what seems to be cleared by the forum-software)
Can anybody of the modx-team confirm if this is correct and if it makes no
difference to use htmlent or not? Or did we any mistake in these tests?
With the help of Mark Hamstra (Thanks, buddy!!!) I got this solution to work using a FormIt-Validator:
[[!FormIt?
...
&customValidators=`FormItHtmlEnt`
&validate=`
fieldname1:required:FormItHtmlEnt,
fieldname2:required:FormItHtmlEnt
]]
With
FormItHtmlEnt being this snippet:
<?php
$validator->fields[$key] = htmlentities($value, ENT_QUOTES, $encoding);
return true;
-
- 2,877 Posts
Great share!