1,184 questions
112
votes
5
answers
120k
views
Constant FILTER_SANITIZE_STRING is deprecated
I have installed PHP 8.1 and I started testing my old project. I have used the filter FILTER_SANITIZE_STRING like so:
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
Now I ...
- 33.9k
0
votes
1
answer
337
views
How to sanitize input of the Spring Boot Rest controller as per snyk
I have a microservice with Spring Boot which has a lot of API endpoints. My devops team recently applied Snyk scan for the Jenkins build which is preventing API deployment due to following error:
...
- 5,289
0
votes
0
answers
39
views
How to fix "Client Potential XSS\Ruta"?
I’m working on an AngularJS project, and after running a security scan with Checkmarx, I’ve encountered the following XSS vulnerability:
"The in the application embeds untrusted data into the ...
177
votes
14
answers
218k
views
What are the best PHP input sanitizing functions? [duplicate]
I am trying to come up with a function that I can pass all my strings through to sanitize. So that the string that comes out of it will be safe for database insertion. But there are so many filtering ...
- 1,795
164
votes
19
answers
217k
views
string sanitizer for filename
I'm looking for a php function that will sanitize a string and make it ready to use for a filename. Anyone know of a handy one?
( I could write one, but I'm worried that I'll overlook a character! )
...
- 18.1k
159
votes
19
answers
100k
views
Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?
I realize that parameterized SQL queries is the optimal way to sanitize user input when building queries that contain user input, but I'm wondering what is wrong with taking user input and escaping ...
- 6,020
163
votes
4
answers
154k
views
Remove all non-numeric characters from a string; [^0-9] doesn't match as expected
I'm trying to remove everything from a string but just numbers (0-9).
I thought this would work..
echo preg_replace("[^0-9]","",'604-619-5135');
But it echos "604-619-5135". What am I missing???
- 5,264
0
votes
0
answers
51
views
For safety, is it enough to check whether user input conforms to an expected value? Or do I need to escape it before output anyway? [duplicate]
Is it enought to check whether user input conforms to an expected value, before I embed it into executed code? E.g.:
$fruits = array(
"Orange",
"Banana"
);
if(isset($_GET['...
- 821
0
votes
0
answers
83
views
Sanitize HTML input in a C# class attribute
If one wishes to sanitize HTML input, he has to use a library like HtmlSanitizer. Example:
var sanitizer = new HtmlSanitizer();
var sanitized = sanitizer.Sanitize(model.htmlInput);
Is it possible to ...
- 156
1
vote
1
answer
104
views
Safe eval() by explitily whitelisting builtins and bailing on dunders? [duplicate]
I know it's inadvisable to use eval() on untrusted input, but I want to see where this sanitiser fails. It uses a whitelist to only allow harmless builtins, and it immediately bails if there are any ...
- 115
0
votes
0
answers
61
views
Strapi meilisearch leaks user data
I've got a project running strapi v4 using meilisearch and instant-meilisearch in the frontend.
In my backend I've go a model called car-model which has a n:m relation to a users-permissions user. ...
142
votes
23
answers
204k
views
Sanitizing strings to make them URL and filename safe?
I am trying to come up with a function that does a good job of sanitizing certain strings so that they are safe to use in the URL (like a post slug) and also safe to use as file names. For example, ...
- 57.6k
1
vote
1
answer
566
views
How can I suppress sanitizer errors from member functions in GCC?
I'm compiling code on an Ubuntu system with GCC 11.4.0 with -fsanitize=thread.
I am getting some sanitizer errors from external libraries called from my functions. I have read that I should be able to ...
- 4,764
86
votes
16
answers
138k
views
Strip all whitespace characters from a string
I know this comment on PHP.net.
I would like to have a similar tool like tr for PHP such that I can run simply
tr -d " " ""
I run unsuccessfully the function php_strip_whitespace ...
- 143k
0
votes
3
answers
127
views
Remove consecutive duplicates of a specified value from a 2d array
As part of a larger project, I'm receiving arrays in a form similar to this:
$out = array(
'2011' => ['Out', 'arrv'],
'2012' => ['Out'],
'2013' => ['Out'],
'...
- 148
75
votes
7
answers
76k
views
Remove parentheses and the content in between
How can I remove the text between a set of parentheses and the parentheses themselves in PHP?
Example: ABC (Test1)
I would like it to delete (Test1) and only leave ABC.
- 813
46
votes
5
answers
111k
views
How I can sanitize my input values in node js?
I validated my Node.js inputs so that they won't be empty, but I want to sanitize them too. Please help me how I can do this.
req.checkBody('name', 'Name is required!').notEmpty();
req.checkBody('...
- 607
88
votes
7
answers
80k
views
angularjs newline filter with no other html
I'm trying to convert newline characters (\n) to html br's.
As per this discussion in the Google Group, here's what I've got:
myApp.filter('newlines', function () {
return function(text) {
...
- 2,654
0
votes
0
answers
68
views
Dompurify Error: src/app/common/util.ts:3:8 - error TS1259: Module can only be default-imported using the 'allowSyntheticDefaultImports' flag
I am using Angular 17 and while running the build I am getting an error stating
Error: src/app/common/util.ts:3:8 - error TS1259: Module '"/usr/src/app/node_modules/dompurify/dist/purify.cjs"...
- 11
79
votes
7
answers
220k
views
Sanitizing user input before adding it to the DOM in Javascript
I'm writing the JS for a chat application I'm working on in my free time, and I need to have HTML identifiers that change according to user submitted data. This is usually something conceptually shaky ...
- 9,668
77
votes
14
answers
39k
views
When is it best to sanitize user input?
User equals untrustworthy. Never trust untrustworthy user's input. I get that. However, I am wondering when the best time to sanitize input is. For example, do you blindly store user input and then ...
user2628
0
votes
4
answers
2k
views
Convert a hex value stored as a varchar in an integer column to it's integer equivilent
Hi: I'm working with a SQLite (v 3.14.2) in Linux. Apparently, SQLite allows users to store char strings in integer columns (I find this shocking, but that's what it apparently allows). Some of ...
- 1,221
0
votes
0
answers
311
views
RDKit- How can we print problematic molecules and their issues together?
I got the error messages using RDKit.Chem.
[14:21:42] Can't kekulize mol. Unkekulized atoms: 3 5 6 7 9 10
[14:21:42] Can't kekulize mol. Unkekulized atoms: 3 5 6 7 10 11
[14:21:48] Explicit valence ...
0
votes
2
answers
2k
views
How to Sanitize PDF with a opensource Java tool ( like PDFBox)? [closed]
I am trying to enhance security of a file upload segment in Spring based web application.
It uses a antivirus to do virus screening before upload, However it is additionally required to sanitize the ...
- 29
5
votes
1
answer
15k
views
This can enable a Reflected Cross-Site Scripting (XSS) attack
I have this code:
const implementation = async (req, res, next) => {
const rut = req.user && req.user.nickname.toUpperCase();
const data = req.body; // ERROR !!!
if (!rut || !data) ...
- 8,577
94
votes
14
answers
137k
views
How to escape strings in SQL Server using PHP?
I'm looking for the alternative of mysql_real_escape_string() for SQL Server. Is addslashes() my best option or there is another alternative function that can be used?
An alternative for mysql_error()...
- 268k
2
votes
0
answers
549
views
Checkmarx Scans Won't Recognize Any Sanitization Methods in Node/Express
I have a Node.js Express app and I'm running a Checkmarx scanning tool on it. It is flagging things like request.path and request.url and saying that "The element's value flow through the code ...
- 2,936
4
votes
5
answers
6k
views
Best practice when sanitizing HTML form user input in PHP / CodeIgniter 4 [duplicate]
I have a simple app programmed in PHP using CodeIgniter 4 framework and, as a web application, it has some HTML forms for user input.
I am doing two things:
In my Views, all variables from the ...
- 237
1
vote
0
answers
320
views
Most strict DOMPurify configuration?
I used the default DOMPurify (https://github.com/cure53/DOMPurify/tree/main) configuration for input sanitization in JavaScript, but noticed that tags like "h3" are allowed. I was wondering ...
- 187
2
votes
2
answers
125
views
How to restrict user from running queries that change data
I have a large Java based application that uses connection pooling to access the underlying database for all sort of CURD and reporting operations. The application also provides a database query ...
- 2,225
-1
votes
4
answers
607
views
Why doesn't preventDefault() of an input event stop changes to the value of a form element
This question has been asked and answered before; none of the previous answers given here seem to fix my situation. Therefore I need to ask, once again, why isn't the event prevented correctly?
...
user17093173
0
votes
0
answers
274
views
Securely validating/sanitizing user input when using SQL Server's CONTAINS() predicate
I've got a table in SQL Server with a full-text index on an NVARCHAR column, and I want my website's users to be able to search through the table for data that matches their search string. I want to ...
- 45
1
vote
1
answer
595
views
Angular DomSanitizer replacing new line characters on textarea fields
Is Angular's DomSanitizer just a glorified text-replacer? If it is, I'd like to know if it's feasible to implement my own sanitizer, because the Angular one is replacing special characters like "&...
1
vote
2
answers
471
views
Strange characters in (invalid) json string from post request (encoding issues)
I am trying to get data from a post request using the following line :
$data = file_get_contents('php://input');
The json string might be like: {"test" : "test one \xe0 "}
The ...
- 65
0
votes
0
answers
79
views
Wordpress not sanitizing double quotes in image alt text text fields causing pages to break
Currently, when users put double quotes in the alt text field for an image in the media library or within the ACF edit window, those quotes get saved to the database within the alt field and rendered ...
0
votes
0
answers
83
views
Am I sanitizing the input properly in my functions.php?
I am creating a WordPress website, using Divi Builder for the design + some PHP for additional functionality in the back-end. Right now I am developing custom Divi modules, whose purpose will be to ...
- 39
-1
votes
1
answer
127
views
When sanitize/encode while implementing tags system like on SO
In my development I have a tag system that closely matches the one SO has. And it also allows non-Latin characters.
User can enter new tag and it is saved to the DB.
Existing tags are shown to the ...
- 19.4k
44
votes
2
answers
57k
views
Best way to go about sanitizing user input in rails
I've read a lot about this and know there are many related questions on here, but I couldn't find a definitive guide for how to go about sanitizing everything. One option is to sanitize on insert, for ...
- 1,101
0
votes
0
answers
250
views
Does user data need to be sanitised before running console.log?
I have a NodeJS backend that receives some user data which will be stored in a database. Currently it is not being sanitised anywhere.
Are there any risks in writing it directly to the console with ...
- 130k
90
votes
6
answers
74k
views
How can sanitation that escapes single quotes be defeated by SQL injection in SQL Server?
To start this off, I am well aware that parameterized queries are the best option, but I am asking what makes the strategy I present below vulnerable. People insist the below solution doesn't work, so ...
- 2,196
0
votes
1
answer
1k
views
Do I need to sanitise TIPTAP text editor in nextJS?
do I need to sanitise TIPTAP text editor with nextJs? If so, what sanitiser is best with nextJS and TIPTAP text editor?
- 5
46
votes
9
answers
79k
views
what is a good method to sanitize the whole $_POST array in php? [duplicate]
I have a form with a lot of variables which is then sending an email, rather than sanitizing each $_POST value with filter_var($_POST['var'], FILTER_SANITIZE_STRING); I was after a more simple piece ...
- 469
0
votes
0
answers
229
views
I am looking for a way to stop html injection
If I send the request like <img src = "1"/>, it seems it does not work in this
case. I am using owasp policy factory sanitizer.
Can you describe the issue and how can I fix it ?
...
1
vote
0
answers
379
views
How to verify the nonce in WordPress if the request is from a link in the menu?
I have a plugin that has a submenu. For example: Dashboard, List of recent questions, Settings, Support.
The submenu is added using the add_submenu_page function.
add_submenu_page(
'my-...
- 11
40
votes
2
answers
62k
views
Input sanitization in ReactJS
I am using ReactJS do develop a simple chat application. Could someone help me to sanitize the input .
There is only one input text box to send chat messages. How to sanitize it?.
<input type="...
- 1,183
0
votes
1
answer
97
views
How to sanitise request body in spring boot if some attributes contain these values
Is there any library available to encode these if present as values eg. can be html attributes, js events, scripts, expressions evaluating to true? Though it should escape values like ">50000&...
- 43
0
votes
1
answer
802
views
Sanitizing HTML from Form Input not working (symfony6.3 php 8.2)
Trying to implement a form that sanitizes html input according to
https://symfony.com/doc/current/html_sanitizer.html#sanitizing-html-from-form-input
but I cannot make it work properly.
Here is my ...
- 439
75
votes
8
answers
78k
views
Dealing with line Breaks on contentEditable DIV
I have a problem with contenteditable line breaks on SAFARI/CHROME. When I press "return" on a contentEditable <div>, instead of creating a <br> (like Firefox), they create a new <div&...
- 2,465
42
votes
5
answers
99k
views
How to sanitize HTML code in Java to prevent XSS attacks?
I'm looking for class/util etc. to sanitize HTML code i.e. remove dangerous tags, attributes and values to avoid XSS and similar attacks.
I get html code from rich text editor (e.g. TinyMCE) but it ...
- 10.9k
2
votes
1
answer
2k
views
Correctly sanitize data for request
Background
I'm not sure how I should approach sanitizing data I get from a Java backend for usage in a React form. And also the other way around: sanitizing data I get from a form when making a ...
- 149