Sanitizing user input¶
The most obvious, and frequently ignored, danger of web application security is unsanitized user input. Whether URL parameter strings or form submission data, any input coming from outside of your own programming should never be trusted.
Manifesto includes a robust sanitization library called Cleantext that performs some default sanitization routines (checking for script tags, null characters, etc), and allows for advanced scrubbing of text based on a variety of data types.
Given a variable holding user input, e.g. $_POST[‘first_name’] we pass the variable to the Cleantext library for scrubbing:
Cleantext::clean($_POST['first_name']);
or the shortcut function
cleantext($_POST['first_name']);
And this prevents a malicious user from entering something like <script>foo</script> as their first name in an attempt to execute unauthorized javascript.
In fact, Manifesto uses the Cleantext library to catch common XSS or SQL injection attacks automatically. For example, since Manifesto allows users to request data with GET queries, like:
https://example.org/index.php?category=foo&id=123
We automatically run “foo” and “123” through the Cleantext library, and if the original input does not match the output, we can reasonably assume that someone is trying to inject malicious code:
if ($_POST['first_name'] != cleantext($_POST['first_name'])) {
// Send a 404, or even a 400 HTTP code to prevent the request from being fulfilled
}
Manifesto executes this default behavior for the most common request parameters: module, function, id, and category. So if someone requests
https://example.org/index.php?&category=<script>foo</script>&id=123’
their request will be immediately rejected as a hacking attempt.
Cleantext options¶
As mentioned above, Cleantext can be invoked with a second parameter, indicating a particular format that is expected, e.g.:
Cleantext::clean($_POST['id'],'integer'); // Allow only integers
or
cleantext($_POST['web_address','url'); // All only valid URLs
A comprehensive list of available options is below.
Option string | Description |
---|---|
text/html | Allow full HTML* |
text/x-html | Allow a subset of HTML** |
passthrough | Only essential scrubbing |
shortname | Conforms to Manifesto shortname format |
int/integer | Integers only |
float | Floats only |
alpha | Only a-zA-z characters |
alphanumeric | Only a-zA-z0-9 characters |
ltr | a-zA-z, but only 1 character |
datetime | YYYY-MM-DD HH:MM:SS format |
year | YYYY format |
month | M, 0M or MM format |
datenum | D, 0D, or DD format |
date | YYYY-MM-DD or DD-MM-YYYY format |
time | HH:MM:SS |
yearmonth | YYYY-MM format |
cc | Credit card format (16 numbers + dashes or spaces) |
phone | Phone number with optional extension |
Cleans email address | |
email-check | Returns email address if valid, or false |
url | Returns scrubbed URL |
dateobj | Returns Manifesto Date object if valid |
array | Checks for match against provided 3rd parameter*** |
* “Allow full HTML” always removes any style or head blocks, and removes HTML comments and script tags based on the global “Permissive content” settings.
** “X-HTML” allows address, a, b, strong, blockquote, i, em, span, img, u, ol, ul, li, br, p, h1-6
*** “array” option takes a third parameter, specifying the array whose elements are checked for a match, e.g.:
Cleantext::clean($_POST['selection'],'array', array('Blue','Red','White'));
This will return an empty string if the user ‘selection’ variable does not match one of ‘Blue’,’Red’, or ‘White’.