I have a script that returns POST data if it exists, like this:
public function post($key){
if(isset($_POST[$key])){
return $_POST[$key];
}else{
return false;
}
}
// Will return false if index doesn't exist
echo $this->class->post("key");
I was wondering if it is recommended to filter everything in that function (using a XSS library such as htmlpurifier) if the index exists? I have a function which does the exact same for get requests too.
Thanks,
Peter
It should work for making your application very secure, as no user input (besides the user editable $_FILE, $_SERVER) would be susceptible to XSS unless there was a glitch in your library. However, it may adversely affect your servers performance if many people are attempting to access your application. I would write a better function like this:
public function post($key, $validate = true){
if(isset($_POST[$key])){
if($validate===true) {
return validate($_POST[$key]);
} else {
return $_POST[$key]
}else{
return false;
}
}
That way you can choose which post variables you want to validate. It reduces the overall security of your application, but if you use it correctly, you can minimize the impact.
You should sanitize all output to prevent XSS.
Use the htmlentities PHP function for this.
Filtering or validation can be done on input, however the focus should always be on output sanitization. For example, on input you may want to validate that a phone number contains numbers and the following characters only ()- #.
On output you should always correctly sanitize depending on the context. For example, if outputting to HTML:
<?php
echo htmlentities("<script>")
?>
will output
<script>
to the page instead of a <script> tag.
Check out OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet for more detailed info.