Protect against XSS and CSRF + some improvements #30

metamorfosec · 2018-09-19T02:55:59Z

Hello..,
This is a pull request for issue #29 .

1. add paths for protecting against csrf and xss 2. check Token is valid and recent

1. add paths for protecting csrf and xss 2. check Token is valid and recent

1. add paths for protecting against csrf and xss 2. check Token is valid and recent

1. start session, add Token 2. autocomplete = "off"

1. start session, add Token 2. autocomplete="off"

Use HTMLPurifier only for title, description, and copyright

From isset($_POST['login']) to isset($_POST['title'])

atutor · 2018-09-22T13:29:50Z

There are some new problems with the content editor and rendered content contain page templates. When a page template is added the reorder buttons and a rouge X gets rendered when the content is displayed. The reorder button should only appear in the Page Template preview in the content editor.

Can any of the HTML Purifier files be eliminated. There seems to be a lot of files that are not required. Also things like the form_demo.php in the crsf folder should be cleaned out.

I have not done a thorough code review. This pull request should be broken down into smaller more manageable chunks. And, a little more description provided with each.

As it is I can't merge this pull request.

We use TABLE_PREFIX to prevent error "Table ac_tests_questions doesn't exist" when editing or deleting created tests

We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent Reflected XSS for p parameter

We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent XSS for vulnerable or suspected parameters

We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent Reflected XSS for title parameter

We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent Reflected XSS for _cid parameter

1. We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent XSS for vulnerable or suspected parameters 2. If CSRF_Token is not valid and not recent, then make values from user unchangeable by CRSF Payload

We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent XSS for vulnerable or suspected parameters

metamorfosec · 2018-09-24T00:32:54Z

Hello..,
Thanks for fast response.
I have updated the files as your suggestion and the issue above should be fixed now.
However, I still have faced some warning messages as in original work also behaves like that.
I will provide the updates with more descriptive in smaller more manageable chunks as your suggestion.
Regards.

metamorfosec added 30 commits September 12, 2018 14:51

csrf_class

7e48cf6

HTMLPurifier.autoload

0f90509

another files in library

77c6730

protect against xss

45329db

protect against csrf and xss

522d65d

1. add paths for protecting against csrf and xss 2. check Token is valid and recent

protect against csrf and xss

d94f4be

1. add paths for protecting csrf and xss 2. check Token is valid and recent

protect against csrf and xss

50c408b

1. add paths for protecting against csrf and xss 2. check Token is valid and recent

protect against xss and csrf

077d9c3

1. start session, add Token 2. autocomplete = "off"

protect against xss and csrf

ed15eb7

1. start session, add Token 2. autocomplete="off"

protect against xss and csrf

597cb9c

1. start session, add Token 2. autocomplete="off"

Bootstrap

5d4b551

Another files

80ae5a4

Validator

54a6442

Add files via upload

7e7a1be

Create ConfigSchema.php

bee18a4

Add files via upload

5157ae7

Add files via upload

aef64c5

Add files via upload

7697de1

Add files via upload

f88d502

Add files via upload

adb2bb3

Add files via upload

d2da28d

Add files via upload

b62e891

Add files via upload

1caba3c

Add files via upload

08b2110

Add files via upload

9b6426c

Add files via upload

c23f2c3

change name from Token to CSRF_Token

82a14e2

Add files via upload

c4f0602

Add files via upload

f18b09b

Add files via upload

e03ceba

metamorfosec added 7 commits September 17, 2018 13:44

Add HTMLPurifier Path

57940d5

Add ClassCSRF and HTMLPurifier Paths

205b273

Update the use of HTMLPurifier

573acb3

Use HTMLPurifier only for title, description, and copyright

Replace 'login' with 'title'

88491a9

From isset($_POST['login']) to isset($_POST['title'])

Protect against XSS

3d08b68

Prevent reflected XSS on _cid parameter

47d99e8

Add HTMLPurifier Path

510c8ee

metamorfosec and others added 21 commits September 23, 2018 09:26

Use TABLE_PREFIX to prevent error

8f0d955

We use TABLE_PREFIX to prevent error "Table ac_tests_questions doesn't exist" when editing or deleting created tests

Remove Folder Protection contains third party class and library

1935676

To prevent CSRF

bf215b5

Remove HTMLPurifier Path, add htmlspecialchars...

5965841

We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent Reflected XSS for p parameter

Remove HTMLPurifier Path

022a541

Remove HTMLPurifier Path, add htmlspecialchars...

0f85d59

We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent XSS for vulnerable or suspected parameters

Remove HTMLPurifier, add htmlspecialchars...

a872c9c

We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent XSS for vulnerable or suspected parameters

Remove HTMLPurifier

2bb3222

Remove HTMLPurifier, update class_csrf Path. ...

7ee4da2

We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent XSS for vulnerable or suspected parameters

Remove HTMLPurifieri Path, add htmlspecialshars...

c5261d5

We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent Reflected XSS for title parameter

Remove HTMLPurifier Path

f8a34c2

Update csrf_class Path

99449c5

Update csrf_class Path

075b257

Remove HTMLPurifier Path, add htmlspecialchars...

fd11198

We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent Reflected XSS for _cid parameter

Remove HTMLPurifier, update csrf_class Path,..

7fa1fab

1. We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent XSS for vulnerable or suspected parameters 2. If CSRF_Token is not valid and not recent, then make values from user unchangeable by CRSF Payload

Remove csrf_class

6f2462a

Update csrf_class path

dd9fcc6

Remove csrf_class

01e11f1

Remove csrf_class

f585059

Remove HTMLPurifier, add htmlspecialchars..

8de4222

We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent XSS for vulnerable or suspected parameters

Remove csrf_class, add htmlspecialchars...

d8007c9

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Protect against XSS and CSRF + some improvements #30

Protect against XSS and CSRF + some improvements #30

Uh oh!

metamorfosec commented Sep 19, 2018

Uh oh!

atutor commented Sep 22, 2018

Uh oh!

metamorfosec commented Sep 24, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Protect against XSS and CSRF + some improvements #30

Are you sure you want to change the base?

Protect against XSS and CSRF + some improvements #30

Uh oh!

Conversation

metamorfosec commented Sep 19, 2018

Uh oh!

atutor commented Sep 22, 2018

Uh oh!

metamorfosec commented Sep 24, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants