2

I'm working with an app that was upgraded to 2.5 from 1.1 recently.

I always thought that the native cakephp behavior with text boxes and text areas was to strip html tags from input.

Recently we discovered that this is not happening in this app.

So my question is this. Is my initial assumption incorrect and cake does not handle this by default and we need to be doing this ourselves explicitly. Or is it possible to turn this off and maybe that was what occured here and where would I look to find this out? Did some searching including the cake site but keep getting referred to the Sanitized Utility of cake that was deprecated in 2.3

Any help or direction is greatly appreciated.

GatorGuy023
  • 297
  • 2
  • 3
  • 11
  • This may be useful: http://www.sitepoint.com/php-security-cross-site-scripting-attacks-xss/ – Costa Sep 20 '14 at 23:48

2 Answers2

1

You are referring to Data Sanitization.

In CakePHP 1.x it was handled via a helper class.

http://book.cakephp.org/1.3/en/The-Manual/Common-Tasks-With-CakePHP/Data-Sanitization.html

Data sanitization has never been automatic or default for any input received in by a controller, but when you updated to CakePHP 2.5 the sanitization helper had been removed. So you must have removed it without realizing it during the migration to Cake 2.5

http://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html

The reason it was removed is because it was insecure and easily circumvented by hackers. CakePHP 1.x sites are subject to XSS attacks.

http://en.wikipedia.org/wiki/Cross-site_scripting

Before you can safely implement a cleaning of form data. You should be aware of how easy it is for hackers to bypass input filtering to inject unwanted data.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Without knowing the nature of the form you are sanitizing it's not possible for me to recommend a solution. The safest approach would be to strip all non-alphanumeric characters except punctuations marks.

Reactgular
  • 52,335
  • 19
  • 158
  • 208
0

Depending on the level of sanitation you need take a look at HtmlPurifier. Either use the lib directly or this plugin for CakePHP. It takes care of XSS as well.

HtmlPurifier can be configured to filter HTML very specific. For example you can allow the <a> but not allow any other attribute than src or only id for example.

floriank
  • 25,546
  • 9
  • 42
  • 66