Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flag any non-validated/sanitized $_GET, $_POST, $_REQUEST, $_SERVER #72

Closed
2 tasks done
westonruter opened this issue Oct 11, 2013 · 3 comments · Fixed by #101
Closed
2 tasks done

Flag any non-validated/sanitized $_GET, $_POST, $_REQUEST, $_SERVER #72

westonruter opened this issue Oct 11, 2013 · 3 comments · Fixed by #101
Assignees
@westonruter
Labels
Focus: Security
Milestone
WordPress VIP Rules

Comments

@westonruter
Copy link
Member

While we should also sanitize/validate data returned from the database (post meta and options), adding checks for all functions and methods which access the database (post data, post meta, options, etc) is very difficult since there are so many. Furthermore, the severity of validating and sanitizing data coming from the database is much less important than validating and sanitizing data coming directly from the user via $_GET and $_POST, since WordPress already sanitizes much of the data going into the DB, and the WordPress API functions will often sanitize the data they return automatically.

  • Flag any use of $_GET, $_POST, $_REQUEST, or $_SERVER which is not wrapped in a sanitizing/validating function.
  • Allow use of isset and empty among other sanitization functions.

http://codex.wordpress.org/Data_Validation
http://php.net/manual/en/function.filter-var.php

Validation, Sanitization, and Escaping #

$_GET, $_POST, $_REQUEST, $_SERVER and other data from untrusted sources (including values from the database such as post meta and options) need to be validated and sanitized on save and escaped on output.
@ghost ghost assigned shadyvb Oct 19, 2013
@shadyvb
Copy link
Contributor

shadyvb commented Oct 19, 2013

Speaking of which, shouldn't the filter_var* / filter_input* family be included in the XSS Sniff's sanitizing functions list ?

@westonruter
Copy link
Member Author

@shadyvb yes!

@shadyvb
Copy link
Contributor

shadyvb commented Oct 19, 2013

@westonruter Requested in #99

shadyvb added a commit that referenced this issue Oct 20, 2013
@shadyvb
Flag any non-validated/sanitized super global input vars.
f90170d 
Closes #72
Switch list of sanitizing/autoescaping function to a static var to be used by other classes
shadyvb added a commit that referenced this issue Oct 20, 2013
@shadyvb
Flag any non-validated/sanitized super global input vars.
9dc81b5 
Closes #72
Switch list of sanitizing/autoescaping function to a static var to be used by other classes
@shadyvb shadyvb mentioned this issue Oct 22, 2013
Merged
@ghost ghost assigned westonruter Oct 23, 2013
@westonruter westonruter mentioned this issue Oct 24, 2013
Closed
@GaryJones GaryJones mentioned this issue Apr 28, 2014
Closed
@emiluzelac emiluzelac mentioned this issue Jun 29, 2015
Closed
jrfnl added a commit to jrfnl/WordPress-Coding-Standards that referenced this issue Apr 22, 2022
@jrfnl
WIP | Add new rules to Core ruleset based on Make post
5bcb95b 
Related:
* `Universal.Namespaces.OneDeclarationPerFile` - upstream Extra WordPress#6
* `Universal.Namespaces.DisallowCurlyBraceSyntax` - upstream Extra WordPress#4
* `Universal.Namespaces.DisallowDeclarationWithoutName` - upstream Extra WordPress#50

* `Universal.UseStatements.NoLeadingBackslash` - upstream Extra WordPress#46
* `Universal.UseStatements.LowercaseFunctionConst` - upstream Extra WordPress#58

* `Universal.Constants.LowercaseClassResolutionKeyword` - upstream Extra WordPress#72

* `Generic.WhiteSpace.IncrementDecrementSpacing` - issue WordPress#1511, upstream PHPCS WordPress#2172, WordPress#2174
* `Universal.Operators.DisallowStandalonePostIncrementDecrement` - upstream Extra WordPress#65

* `Universal.Constants.UppercaseMagicConstants` - upstream Extra WordPress#64
jrfnl added a commit to jrfnl/WordPress-Coding-Standards that referenced this issue Apr 22, 2022
@jrfnl
WIP | Add new rules to Core ruleset based on Make post
32974ef 
Related:
* `Universal.Namespaces.OneDeclarationPerFile` - upstream Extra WordPress#6
* `Universal.Namespaces.DisallowCurlyBraceSyntax` - upstream Extra WordPress#4
* `Universal.Namespaces.DisallowDeclarationWithoutName` - upstream Extra WordPress#50

* `Universal.UseStatements.NoLeadingBackslash` - upstream Extra WordPress#46
* `Universal.UseStatements.LowercaseFunctionConst` - upstream Extra WordPress#58

* `Universal.Constants.LowercaseClassResolutionKeyword` - upstream Extra WordPress#72

* `Generic.WhiteSpace.IncrementDecrementSpacing` - issue WordPress#1511, upstream PHPCS WordPress#2172, WordPress#2174
* `Universal.Operators.DisallowStandalonePostIncrementDecrement` - upstream Extra WordPress#65

* `Universal.Constants.UppercaseMagicConstants` - upstream Extra WordPress#64
jrfnl added a commit to jrfnl/WordPress-Coding-Standards that referenced this issue Apr 26, 2022
@jrfnl
WIP | Add new rules to Core ruleset based on Make post
a5170ef 
Related:
* `Universal.Namespaces.OneDeclarationPerFile` - upstream Extra WordPress#6
* `Universal.Namespaces.DisallowCurlyBraceSyntax` - upstream Extra WordPress#4
* `Universal.Namespaces.DisallowDeclarationWithoutName` - upstream Extra WordPress#50

* `Universal.UseStatements.NoLeadingBackslash` - upstream Extra WordPress#46
* `Universal.UseStatements.LowercaseFunctionConst` - upstream Extra WordPress#58

* `Universal.Constants.LowercaseClassResolutionKeyword` - upstream Extra WordPress#72

* `Generic.WhiteSpace.IncrementDecrementSpacing` - issue WordPress#1511, upstream PHPCS WordPress#2172, WordPress#2174
* `Universal.Operators.DisallowStandalonePostIncrementDecrement` - upstream Extra WordPress#65

* `Universal.Constants.UppercaseMagicConstants` - upstream Extra WordPress#64
jrfnl added a commit to jrfnl/WordPress-Coding-Standards that referenced this issue May 15, 2022
@jrfnl
WIP | Add new rules to Core ruleset based on Make post
3e2e527 
Related:
* `Universal.Namespaces.OneDeclarationPerFile` - upstream Extra WordPress#6
* `Universal.Namespaces.DisallowCurlyBraceSyntax` - upstream Extra WordPress#4
* `Universal.Namespaces.DisallowDeclarationWithoutName` - upstream Extra WordPress#50

* `Universal.UseStatements.NoLeadingBackslash` - upstream Extra WordPress#46
* `Universal.UseStatements.LowercaseFunctionConst` - upstream Extra WordPress#58

* `Universal.Constants.LowercaseClassResolutionKeyword` - upstream Extra WordPress#72

* `Generic.WhiteSpace.IncrementDecrementSpacing` - issue WordPress#1511, upstream PHPCS WordPress#2172, WordPress#2174
* `Universal.Operators.DisallowStandalonePostIncrementDecrement` - upstream Extra WordPress#65

* `Universal.Constants.UppercaseMagicConstants` - upstream Extra WordPress#64
jrfnl added a commit to jrfnl/WordPress-Coding-Standards that referenced this issue Jun 17, 2022
@jrfnl
WIP | Add new rules to Core ruleset based on Make post
63821bf 
Related:
* `Universal.Namespaces.OneDeclarationPerFile` - upstream Extra WordPress#6
* `Universal.Namespaces.DisallowCurlyBraceSyntax` - upstream Extra WordPress#4
* `Universal.Namespaces.DisallowDeclarationWithoutName` - upstream Extra WordPress#50

* `Universal.UseStatements.NoLeadingBackslash` - upstream Extra WordPress#46
* `Universal.UseStatements.LowercaseFunctionConst` - upstream Extra WordPress#58

* `Universal.Constants.LowercaseClassResolutionKeyword` - upstream Extra WordPress#72

* `Generic.WhiteSpace.IncrementDecrementSpacing` - issue WordPress#1511, upstream PHPCS WordPress#2172, WordPress#2174
* `Universal.Operators.DisallowStandalonePostIncrementDecrement` - upstream Extra WordPress#65

* `Universal.Constants.UppercaseMagicConstants` - upstream Extra WordPress#64
jrfnl added a commit to jrfnl/WordPress-Coding-Standards that referenced this issue Jun 17, 2022
@jrfnl
WIP | Add new rules to Core ruleset based on Make post
fe96995 
Related:
* `Universal.Namespaces.OneDeclarationPerFile` - upstream Extra WordPress#6
* `Universal.Namespaces.DisallowCurlyBraceSyntax` - upstream Extra WordPress#4
* `Universal.Namespaces.DisallowDeclarationWithoutName` - upstream Extra WordPress#50

* `Universal.UseStatements.NoLeadingBackslash` - upstream Extra WordPress#46
* `Universal.UseStatements.LowercaseFunctionConst` - upstream Extra WordPress#58

* `Universal.Constants.LowercaseClassResolutionKeyword` - upstream Extra WordPress#72

* `Generic.WhiteSpace.IncrementDecrementSpacing` - issue WordPress#1511, upstream PHPCS WordPress#2172, WordPress#2174
* `Universal.Operators.DisallowStandalonePostIncrementDecrement` - upstream Extra WordPress#65

* `Universal.Constants.UppercaseMagicConstants` - upstream Extra WordPress#64
jrfnl added a commit to jrfnl/WordPress-Coding-Standards that referenced this issue Jun 25, 2022
@jrfnl
WIP | Add new rules to Core ruleset based on Make post
31840fb 
Related:
* `Universal.Namespaces.OneDeclarationPerFile` - upstream Extra WordPress#6
* `Universal.Namespaces.DisallowCurlyBraceSyntax` - upstream Extra WordPress#4
* `Universal.Namespaces.DisallowDeclarationWithoutName` - upstream Extra WordPress#50

* `Universal.UseStatements.NoLeadingBackslash` - upstream Extra WordPress#46
* `Universal.UseStatements.LowercaseFunctionConst` - upstream Extra WordPress#58

* `Universal.Constants.LowercaseClassResolutionKeyword` - upstream Extra WordPress#72

* `Generic.WhiteSpace.IncrementDecrementSpacing` - issue WordPress#1511, upstream PHPCS WordPress#2172, WordPress#2174
* `Universal.Operators.DisallowStandalonePostIncrementDecrement` - upstream Extra WordPress#65

* `Universal.Constants.UppercaseMagicConstants` - upstream Extra WordPress#64
jrfnl added a commit to jrfnl/WordPress-Coding-Standards that referenced this issue Jul 22, 2022
@jrfnl
WIP | Add new rules to Core ruleset based on Make post
7126ae0 
Related:
* `Universal.Namespaces.OneDeclarationPerFile` - upstream Extra WordPress#6
* `Universal.Namespaces.DisallowCurlyBraceSyntax` - upstream Extra WordPress#4
* `Universal.Namespaces.DisallowDeclarationWithoutName` - upstream Extra WordPress#50

* `Universal.UseStatements.NoLeadingBackslash` - upstream Extra WordPress#46
* `Universal.UseStatements.LowercaseFunctionConst` - upstream Extra WordPress#58

* `Universal.Constants.LowercaseClassResolutionKeyword` - upstream Extra WordPress#72

* `Generic.WhiteSpace.IncrementDecrementSpacing` - issue WordPress#1511, upstream PHPCS WordPress#2172, WordPress#2174
* `Universal.Operators.DisallowStandalonePostIncrementDecrement` - upstream Extra WordPress#65

* `Universal.Constants.UppercaseMagicConstants` - upstream Extra WordPress#64
jrfnl added a commit to jrfnl/WordPress-Coding-Standards that referenced this issue Aug 7, 2022
@jrfnl
WIP | Add new rules to Core ruleset based on Make post
765287e 
Related:
* `Universal.Namespaces.OneDeclarationPerFile` - upstream Extra WordPress#6
* `Universal.Namespaces.DisallowCurlyBraceSyntax` - upstream Extra WordPress#4
* `Universal.Namespaces.DisallowDeclarationWithoutName` - upstream Extra WordPress#50

* `Universal.UseStatements.NoLeadingBackslash` - upstream Extra WordPress#46
* `Universal.UseStatements.LowercaseFunctionConst` - upstream Extra WordPress#58

* `Universal.Constants.LowercaseClassResolutionKeyword` - upstream Extra WordPress#72

* `Generic.WhiteSpace.IncrementDecrementSpacing` - issue WordPress#1511, upstream PHPCS WordPress#2172, WordPress#2174
* `Universal.Operators.DisallowStandalonePostIncrementDecrement` - upstream Extra WordPress#65

* `Universal.Constants.UppercaseMagicConstants` - upstream Extra WordPress#64
jrfnl added a commit to jrfnl/WordPress-Coding-Standards that referenced this issue Aug 10, 2022
@jrfnl
WIP | Add new rules to Core ruleset based on Make post
d59f3a7 
Related:
* `Universal.Namespaces.OneDeclarationPerFile` - upstream Extra WordPress#6
* `Universal.Namespaces.DisallowCurlyBraceSyntax` - upstream Extra WordPress#4
* `Universal.Namespaces.DisallowDeclarationWithoutName` - upstream Extra WordPress#50

* `Universal.UseStatements.NoLeadingBackslash` - upstream Extra WordPress#46
* `Universal.UseStatements.LowercaseFunctionConst` - upstream Extra WordPress#58

* `Universal.Constants.LowercaseClassResolutionKeyword` - upstream Extra WordPress#72

* `Generic.WhiteSpace.IncrementDecrementSpacing` - issue WordPress#1511, upstream PHPCS WordPress#2172, WordPress#2174
* `Universal.Operators.DisallowStandalonePostIncrementDecrement` - upstream Extra WordPress#65

* `Universal.Constants.UppercaseMagicConstants` - upstream Extra WordPress#64
jrfnl added a commit to jrfnl/WordPress-Coding-Standards that referenced this issue Aug 12, 2022
@jrfnl
WIP | Add new rules to Core ruleset based on Make post
1c2c85c 
Related:
* `Universal.Namespaces.OneDeclarationPerFile` - upstream Extra WordPress#6
* `Universal.Namespaces.DisallowCurlyBraceSyntax` - upstream Extra WordPress#4
* `Universal.Namespaces.DisallowDeclarationWithoutName` - upstream Extra WordPress#50

* `Universal.UseStatements.NoLeadingBackslash` - upstream Extra WordPress#46
* `Universal.UseStatements.LowercaseFunctionConst` - upstream Extra WordPress#58

* `Universal.Constants.LowercaseClassResolutionKeyword` - upstream Extra WordPress#72

* `Generic.WhiteSpace.IncrementDecrementSpacing` - issue WordPress#1511, upstream PHPCS WordPress#2172, WordPress#2174
* `Universal.Operators.DisallowStandalonePostIncrementDecrement` - upstream Extra WordPress#65

* `Universal.Constants.UppercaseMagicConstants` - upstream Extra WordPress#64
jrfnl added a commit to jrfnl/WordPress-Coding-Standards that referenced this issue Aug 18, 2022
@jrfnl
WIP | Add new rules to Core ruleset based on Make post
3ffe9c5 
Related:
* `Universal.Namespaces.OneDeclarationPerFile` - upstream Extra WordPress#6
* `Universal.Namespaces.DisallowCurlyBraceSyntax` - upstream Extra WordPress#4
* `Universal.Namespaces.DisallowDeclarationWithoutName` - upstream Extra WordPress#50

* `Universal.UseStatements.NoLeadingBackslash` - upstream Extra WordPress#46
* `Universal.UseStatements.LowercaseFunctionConst` - upstream Extra WordPress#58

* `Universal.Constants.LowercaseClassResolutionKeyword` - upstream Extra WordPress#72

* `Generic.WhiteSpace.IncrementDecrementSpacing` - issue WordPress#1511, upstream PHPCS WordPress#2172, WordPress#2174
* `Universal.Operators.DisallowStandalonePostIncrementDecrement` - upstream Extra WordPress#65

* `Universal.Constants.UppercaseMagicConstants` - upstream Extra WordPress#64
jrfnl added a commit to jrfnl/WordPress-Coding-Standards that referenced this issue Sep 11, 2022
@jrfnl
WIP | Add new rules to Core ruleset based on Make post
f245203 
Related:
* `Universal.Namespaces.OneDeclarationPerFile` - upstream Extra WordPress#6
* `Universal.Namespaces.DisallowCurlyBraceSyntax` - upstream Extra WordPress#4
* `Universal.Namespaces.DisallowDeclarationWithoutName` - upstream Extra WordPress#50

* `Universal.UseStatements.NoLeadingBackslash` - upstream Extra WordPress#46
* `Universal.UseStatements.LowercaseFunctionConst` - upstream Extra WordPress#58

* `Universal.Constants.LowercaseClassResolutionKeyword` - upstream Extra WordPress#72

* `Generic.WhiteSpace.IncrementDecrementSpacing` - issue WordPress#1511, upstream PHPCS WordPress#2172, WordPress#2174
* `Universal.Operators.DisallowStandalonePostIncrementDecrement` - upstream Extra WordPress#65

* `Universal.Constants.UppercaseMagicConstants` - upstream Extra WordPress#64
jrfnl added a commit to jrfnl/WordPress-Coding-Standards that referenced this issue Oct 13, 2022
@jrfnl
WIP | Add new rules to Core ruleset based on Make post
1f17caa 
Related:
* `Universal.Namespaces.OneDeclarationPerFile` - upstream Extra WordPress#6
* `Universal.Namespaces.DisallowCurlyBraceSyntax` - upstream Extra WordPress#4
* `Universal.Namespaces.DisallowDeclarationWithoutName` - upstream Extra WordPress#50

* `Universal.UseStatements.NoLeadingBackslash` - upstream Extra WordPress#46
* `Universal.UseStatements.LowercaseFunctionConst` - upstream Extra WordPress#58

* `Universal.Constants.LowercaseClassResolutionKeyword` - upstream Extra WordPress#72

* `Generic.WhiteSpace.IncrementDecrementSpacing` - issue WordPress#1511, upstream PHPCS WordPress#2172, WordPress#2174
* `Universal.Operators.DisallowStandalonePostIncrementDecrement` - upstream Extra WordPress#65

* `Universal.Constants.UppercaseMagicConstants` - upstream Extra WordPress#64
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@westonruter westonruter

Labels
Focus: Security
Projects
None yet
Milestone
WordPress VIP Rules
Development

Successfully merging a pull request may close this issue.

Flag any non-validated/sanitized super global input vars WordPress/WordPress-Coding-Standards
3 participants
@westonruter @shadyvb @jrfnl