Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escape unsanitized input in OAuth example #423

Merged
merged 1 commit into from
Jan 17, 2018

Conversation

brandur
Copy link
Contributor

@brandur brandur commented Jan 17, 2018

Here we run unsanitized input through htmlspecialchars before echoing
it to screen. Most of these fields will come from our own processes, but
because they're taken from $_GET, they could potentially contain
content set by a malicious user.

I think htmlspecialchars is the right thing to do here. It just
escapes HTML-related characters instead of anything that has an HTML
equivalent like htmlentities (which is probably overkill here).

r? @ob-stripe

Here we run unsanitized input through `htmlspecialchars` before echoing
it to screen. Most of these fields will come from our own processes, but
because they're taken from `$_GET`, they could potentially contain
content set by a malicious user.

I think `htmlspecialchars` is the right thing to do here. It just
escapes HTML-related characters instead of anything that has an HTML
equivalent like `htmlentities` (which is probably overkill here).
Copy link
Contributor

@ob-stripe ob-stripe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@brandur-stripe
Copy link
Contributor

Thanks OB.

@brandur-stripe brandur-stripe merged commit d6d98c3 into master Jan 17, 2018
@brandur-stripe brandur-stripe deleted the brandur-escape-special-chars branch January 17, 2018 20:52
brandur-stripe pushed a commit that referenced this pull request Feb 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants