How do ISPC filter database output to html?

Discussion in 'Developers' Forum' started by laptop_user, Aug 29, 2015.

  1. laptop_user

    laptop_user Member

    Hello,

    I'm in the process of creating a form submission page. In the mypage.tform.php I have this form definition. I copy it from help directory form definition file.
    PHP:
            'message' => array (
                    'datatype' => 'VARCHAR',
                    'formtype' => 'TEXTAREA',
                    'validators' => array (  => array ( 'type' => 'NOTEMPTY',
                            'errmsg'=> 'message_is_empty'),
                ),
                    'default' => $query,
                    'value'  => '',
                    'cols'  => '30',
                    'rows'  => '10',
                    'maxlength' => '255'
                ),
    My question is, how do ISPC filter database output to HTML?? When I paste javascript code
    Code:
    <script type="text/javascript">alert('Xss test');</script>
    in the input field, the message is stored in database without being filtered and being display in browser without being filtered in definition file. However I don't get any alert box message??

    Where does the output filtering for for example Help Support Message happen?? Thanks in advance.
     
    laptop_user, Aug 29, 2015
    #1
  2. florian030

    florian030 Well-Known Member HowtoForge Supporter

    You must validate the vaue from the form yourself. Use an additional validator or check the values before update / submit.
     
    florian030, Aug 29, 2015
    #2
    laptop_user likes this.
  3. laptop_user

    laptop_user Member

    Florian, I don't see any output filtering for 'message' in support_message.tform.php

    I copy and paste the form definition below:
    PHP:
    'message' => array (
                    'datatype' => 'VARCHAR',
                    'formtype' => 'TEXTAREA',
                    'validators' => array (  => array ( 'type' => 'NOTEMPTY',
                            'errmsg'=> 'message_is_empty'),
                ),
                    'default' => '',
                    'value'  => '',
                    'cols'  => '30',
                    'rows'  => '10',
                    'maxlength' => '255'
                ),
    You said to filter it. How does the code above filter message queried from db before being output it to web browser? I don't see any htmlspecialchars() being use? I hope you understand what I'm trying to convey...
     
    laptop_user, Aug 29, 2015
    #3
  4. florian030

    florian030 Well-Known Member HowtoForge Supporter

    AFAIK there is no filter when reading from the database- You can change the content before the settings are store in the databse. For the support-message it should be $message in support_message_edit.php

    You can also look at the master-brach in the git. There are several validations like $domain_name = rtrim($soa['origin'], '.'); in dns_dmarc_edit.php
    This example does not check the content but change the sumbmitted value. You can use regx to filter some chars.
     
    florian030, Aug 29, 2015
    #4
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    htmlspecialchars is applid automatically to content of type text before it is parsed into the form file. See class tform.inc.php, function getHTML line 541:

    $new_record[$key] = htmlspecialchars($record[$key]);

    in the current stable version.
     
    till, Aug 30, 2015
    #5
    laptop_user likes this.
  6. laptop_user

    laptop_user Member

    Yes, that's it. No wonder XSS doesn't worked when I test it. The field was filtered in other php file. :)
     
    laptop_user, Aug 30, 2015
    #6

Share This Page