Escape unsanitized input in OAuth example #423

brandur · 2018-01-17T19:30:46Z

Here we run unsanitized input through htmlspecialchars before echoing
it to screen. Most of these fields will come from our own processes, but
because they're taken from $_GET, they could potentially contain
content set by a malicious user.

I think htmlspecialchars is the right thing to do here. It just
escapes HTML-related characters instead of anything that has an HTML
equivalent like htmlentities (which is probably overkill here).

r? @ob-stripe

Here we run unsanitized input through `htmlspecialchars` before echoing it to screen. Most of these fields will come from our own processes, but because they're taken from `$_GET`, they could potentially contain content set by a malicious user. I think `htmlspecialchars` is the right thing to do here. It just escapes HTML-related characters instead of anything that has an HTML equivalent like `htmlentities` (which is probably overkill here).

ob-stripe

👍

brandur-stripe · 2018-01-17T20:52:12Z

Thanks OB.

stripe-ci assigned ob-stripe Jan 17, 2018

ob-stripe approved these changes Jan 17, 2018

View reviewed changes

stripe-ci added the approved label Jan 17, 2018

brandur-stripe merged commit d6d98c3 into master Jan 17, 2018

brandur-stripe deleted the brandur-escape-special-chars branch January 17, 2018 20:52

brandur-stripe pushed a commit that referenced this pull request Feb 7, 2018

Add pull request #423 to 5.9.0

5c2d7b3

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Escape unsanitized input in OAuth example #423

Escape unsanitized input in OAuth example #423

brandur commented Jan 17, 2018

ob-stripe left a comment

brandur-stripe commented Jan 17, 2018

Escape unsanitized input in OAuth example #423

Escape unsanitized input in OAuth example #423

Conversation

brandur commented Jan 17, 2018

ob-stripe left a comment

Choose a reason for hiding this comment

brandur-stripe commented Jan 17, 2018