[SOLVED] CGCalendar, link sets some text into form field?

[velden]

Now to the security!

I assume one could send anything with such a link, maybe some php injection?

Velden mentioned: "Note that using parameters (get or post) should be validated before actually using them (for security reasons)."

But now, how can I do that validation?

I recently used this call for a module. But I'm not sure if that is safe enough as the variable is already used in a smarty call itself...

Code: Select all

{ModuleName param="/xxx/{$smarty.get.urlparam|regex_replace:'#[^a-zA-Z0-9/_\- ]#':''}"}

Idea of regex_replace above is to remove any character not being space, underscore, hyphen, digit or a-zA-Z

[JohnnyB]

Now to the security!

Yes, it is best practice to sanitize and validate the expected results.
To sanitize you could use Smarty modifiers like |strip_tags and |htmlspecialchars to remove any HTML, JS, PHP tags from the string and to turn any characters like <,>, and others into their special character equivalents.

To validate, it would take some REGEX to check if the value is what you expect it to be. For example, the event name would only contain characters a to z and 0 to 9 and maybe you will allow an ! or a " in the name. So, regex would be used to check that.

For example, this would allow letters, numbers, and spaces, and underscores too I think... But, it will depend upon the character encoding and language for your site....

^[\w ]+$

-- Others may have more suggestions --

[thomahawk]

Thank you JohnnyB and Velden. So I suppose this should make it safe enough
{FormBuilder form='anmeldeformular' value_fld43=$smarty.get.event|strip_tags}

Anyway, it seems whatever is passed along with the URL, if it survives the strip_tags, it does nothing else but being displayed in the formfield.

Regards,
Thom