@mattab opened this issue on January 10th 2008

in [source:/trunk/modules/ViewDataTable.php] methodgetJavascriptVariablesToSet() we load GET parameters values and print them in the javascript code to "forward" the values to the Javascript logic (used in the Jquery code).

Is this safe? We usePiwik_Common::getRequestVar() to sanitize the value but is it safe enough? Or could some hijacking/xss/etc be possible here?

@anonymous-piwik-user commented on March 7th 2008

Just a suggestion - you probably only want to sanitize HTML tags and quotes. The actual data of the request should be left as is as much as possible, or at least kept in strings when output to JS.

That said, just about anything can get past a typical filter these days - have a brief glance through (ha.ckers.org/xss.html) this cheat sheet for XSS], it's clearly impractical to protect data against just about anything. As long as arbitrary JS can't go straight from the URL to the scripts (unless this is intentional, of course), there really is no cause for concern.

The htmlspecialchars() in Piwik_Common::getRequestVar() is sufficient, and maybe an addslashes() somewhere is an option.

@mattab commented on March 17th 2008

(In [383]) - fix #5498 Thanks for your help on this Draicone. Added addslashes() to the values printed in the JS footer of the datatables

This issue was closed on March 17th 2008
Powered by GitHub Issue Mirror