• Leigh Stoller's avatar
    Cleanup in the web interface to prevent XSS attacks. · 6cf701f9
    Leigh Stoller authored
    We had a couple of different problems actually.
    
    * We allow users to insert html into many DB fields (say, a project or
      experiment description).
    
    * We did not sanitize that output when displaying back.
    
    * We did not sanitize initial page arguments that were reflected in the
      output (say, in a form).
    
    Since no one has the time to analyze every line of code, I took a couple of
    shortcuts. The first is that I changed the regex table to not allow any <>
    chars to go from the user into the DB. Brutal, but in fact there are only a
    couple of places where a user legitimately needs them. For example, a
    startup command that includes redirection. I handle those as special
    cases. As more come up, we can fix them.
    
    I did a quick pass through all of the forms, and made sure that we run
    htmlspecialchars on everything including initial form args. This was not
    too bad cause of the way all of the forms are structured, with a
    "formfields" array.
    
    I also removed a bunch of obsolete code and added an update script to
    actually remove them from the www directory.
    
    Lastly, I purged some XMLRPC code I did a long time ago in the Begin
    Experiment path. Less complexity, easier to grok and fix.
    
    	modified:   sql/database-fill.sql
    	modified:   sql/dbfill-update.sql
    6cf701f9
approveproject.php3 9.78 KB