On 03/11/10 18:43, Ashar Voultoiz wrote:
On 03/11/10 08:10, Tim Starling wrote:
I don't think JSON support is particularly
important since it can
easily be simulated, and I don't think you should use the filter
extension in MediaWiki, regardless of whether it is supported.
Just out of curiosity, what is wrong with the filter extension ? From
far away, it looks like it could be used to speed up some of our
filter_input() can't be used because it skips the abstractions in
$wgRequest. filter_var() could theoretically be used, but it seems to
me that you would very rarely want to do so.
Many of the filters are poorly-documented and so are subject to
change. For instance, you wouldn't want to use FILTER_VALIDATE_EMAIL,
because it's not clear what it does exactly, and whatever it is, it's
probably not the same as MediaWiki's view of an email address, per
User::isValidEmailAddr(). Even if it was the same, it might change in
the next minor release, breaking existing MediaWiki installations.
The escaping filters such as FILTER_SANITIZE_ENCODED and
FILTER_SANITIZE_SPECIAL_CHARS have perfectly good equivalents already
(urlencode() and htmlspecialchars()). The point of having them in the
filter module is to encourage input-side escaping. However, I'm
strongly against any kind of input-side escaping since it's hard to
review and often leads to security vulnerabilities.
Similarly, the stripping filters, such as FILTER_SANITIZE_STRING and
FILTER_SANITIZE_URL, are examples of incorrect security policy. When
applied on the input side as intended, they break the application
logic, silently mangling user input, but they often fail to protect
against security vulnerabilties. The false sense of security they give
leads developers to forget output-side escaping, with disasterous
results whenever the stripping function was not designed for the kind
of output done.
For example, this is OK:
$foo = filter_input( INPUT_GET, 'foo', FILTER_SANITIZE_STRING );
$bar = filter_input( INPUT_GET, 'foo', FILTER_SANITIZE_MAGIC_QUOTES );
$db->query( "select '$bar' limit 1" );
But this is XSS:
$url = filter_input( INPUT_GET, 'url', FILTER_SANITIZE_URL );
echo "<img src=\"$url\"/>";
That just leaves the simplest filters, like FILTER_VALIDATE_FLOAT.
They're the only ones that I think could have any potential
usefulness. But you'd want to have a very good reason for using them,
since code which uses an unfamiliar module will typically be harder
for regular MediaWiki developers to read and interpret than code which
just uses basic functions and regexes.
-- Tim Starling