On 03/11/10 18:43, Ashar Voultoiz wrote:
On 03/11/10 08:10, Tim Starling wrote:
I don't think JSON support is particularly important since it can easily be simulated, and I don't think you should use the filter extension in MediaWiki, regardless of whether it is supported.
Just out of curiosity, what is wrong with the filter extension ? From far away, it looks like it could be used to speed up some of our sanitization checks.
filter_input() can't be used because it skips the abstractions in $wgRequest. filter_var() could theoretically be used, but it seems to me that you would very rarely want to do so.
Many of the filters are poorly-documented and so are subject to change. For instance, you wouldn't want to use FILTER_VALIDATE_EMAIL, because it's not clear what it does exactly, and whatever it is, it's probably not the same as MediaWiki's view of an email address, per User::isValidEmailAddr(). Even if it was the same, it might change in the next minor release, breaking existing MediaWiki installations.
The escaping filters such as FILTER_SANITIZE_ENCODED and FILTER_SANITIZE_SPECIAL_CHARS have perfectly good equivalents already (urlencode() and htmlspecialchars()). The point of having them in the filter module is to encourage input-side escaping. However, I'm strongly against any kind of input-side escaping since it's hard to review and often leads to security vulnerabilities.
Similarly, the stripping filters, such as FILTER_SANITIZE_STRING and FILTER_SANITIZE_URL, are examples of incorrect security policy. When applied on the input side as intended, they break the application logic, silently mangling user input, but they often fail to protect against security vulnerabilties. The false sense of security they give leads developers to forget output-side escaping, with disasterous results whenever the stripping function was not designed for the kind of output done.
For example, this is OK:
$foo = filter_input( INPUT_GET, 'foo', FILTER_SANITIZE_STRING ); $bar = filter_input( INPUT_GET, 'foo', FILTER_SANITIZE_MAGIC_QUOTES ); echo $foo; $db->query( "select '$bar' limit 1" );
But this is XSS:
$url = filter_input( INPUT_GET, 'url', FILTER_SANITIZE_URL ); echo "<img src="$url"/>";
That just leaves the simplest filters, like FILTER_VALIDATE_FLOAT. They're the only ones that I think could have any potential usefulness. But you'd want to have a very good reason for using them, since code which uses an unfamiliar module will typically be harder for regular MediaWiki developers to read and interpret than code which just uses basic functions and regexes.
-- Tim Starling