Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escape/sanitize strings on output rather than on input #6714

Closed
mnapoli opened this issue Nov 23, 2014 · 2 comments
Closed

Escape/sanitize strings on output rather than on input #6714

mnapoli opened this issue Nov 23, 2014 · 2 comments
Labels
c: Platform For Matomo platform changes that aren't impacting any of our APIs but improve the core itself. duplicate For issues that already existed in our issue tracker and were reported previously. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
Long term

Comments

@mnapoli
Copy link
Contributor

mnapoli commented Nov 23, 2014

Following a discussion about security:

One of the current best practices in Piwik is escape everything on input. But in general, best practices recommend:

  • filter on input (e.g. cast to an integer if you expect an integer, but don't sanitize strings)
  • escape on output

e.g. http://blog.ircmaxell.com/2011/03/what-is-security-web-application.html

Problems with the current approach:
@mnapoli mnapoli added Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. c: Platform For Matomo platform changes that aren't impacting any of our APIs but improve the core itself. labels Nov 23, 2014
@mattab mattab added this to the Mid term milestone Nov 25, 2014
@mattab mattab added the Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change. label Dec 1, 2014
@mnapoli mnapoli mentioned this issue Mar 26, 2015
Closed
@diosmosis diosmosis mentioned this issue Mar 27, 2015
Merged
This was referenced May 28, 2015
Closed
Closed
@mattab
Copy link
Member

mattab commented Jun 1, 2015

Duplicates #4231

@mattab mattab closed this as completed Jun 1, 2015
@mnapoli
Copy link
Contributor Author

mnapoli commented Jun 2, 2015

Oh yes thanks I forgot to close!

@mattab mattab added the duplicate For issues that already existed in our issue tracker and were reported previously. label Jun 2, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Platform For Matomo platform changes that aren't impacting any of our APIs but improve the core itself. duplicate For issues that already existed in our issue tracker and were reported previously. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Milestone
Long term
Development

No branches or pull requests
2 participants
@mattab @mnapoli