Sanitizing input?

  • Hi there,

    Thanks for great software ??

    Just wondering if this plugin has ever been fuzz tested for user input? I’m not expert in injection, but I notice HTML tags enter into the database fields from user input from the front end:

    Would it be wise to consider parsing text lines through sanitize_text_field() and text areas through sanitize_textarea_field()?

    https://developer.www.ads-software.com/apis/security/sanitizing/

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author xnau webdesign

    (@xnau)

    Yes, all input to Participants Database is sanitized, a couple of years ago we did a security check on user input and tightened it up a lot, and we continue to look for ways to improve it.

    The input you are testing is not dangerous, and there are lots of users that want to store HTML in text fields, but what html is allowed is filtered by the wp_kses() function to disallow anything that might be malicious. The functions you suggest we use don’t allow HTML.

    If you have a specific security concern, let us know, we want to make sure our product is as secure as it can be.

    Thread Starter Trippetchz

    (@trippetchz)

    Hi there,

    Thanks for getting back.

    Sure, the above example wasn’t dangerous, but this potentially is:

    And that passed through wp_kses() (apparently?) in the same vein.

    I understand you’re saying some use cases want to except HTML and other input through Participants Database, but for our use, we definitely do not want any possibility of any tags or any other input being inserted in any of our front-end (or back-end), especially in fields such as “First Name” or “Last Name” where is should never be expected/accepted.

    If this isn’t going to be mainlined, are there some hooks we can use to invoke sanitize_text_field() and sanitize_textarea_field() for our own set up then, please?

    Thanks!
    T

    Plugin Author xnau webdesign

    (@xnau)

    There are several ways you can prevent tags from getting submitted. Doing it in the validation allows you to provide user feedback.

    You can use a simple regex validation on the field that does not allow the “less than” symbol: /^[^<]+$/ This will effectively prevent tags from getting submitted.

    If you want a more detailed approach, you can use a custom validation: Custom Field Validation

    If you want to just sanitize it before it gets stored to the db, you can use these two filters: pdb-before_submit_signup and pdb-before_submit_update. These filters are easy to use, they pass in the posted data and expect the posted data to be returned. You can alter the data before it is returned.

    I’m not suggesting you wait for this, but I do plan to add a setting that can disallow HTML tags from text fields.

    Thread Starter Trippetchz

    (@trippetchz)

    Hi there,

    Thanks for your reply.

    I’d like that, thanks—the option to totally disallow any HTML content in the core plugin. I think I’ll wait for that to get deployed ??

    Cheers,
    T

    Thread Starter Trippetchz

    (@trippetchz)

    Hi there, not rushing you or anything, no stress, but just wondering a potential ETA on this new feature? ?? Thanks! T

    Plugin Author xnau webdesign

    (@xnau)

    This is coming in the next update, we’re at least week out for that.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.