password reset being bypassed, why?

[scootstah]

Pretty much any time you're outputting dynamic content, it needs to be escaped first. Whether that content comes from your database, an XML feed, an external API, whatever... it needs to be escaped.

 

If you let a user input data into your database, then you need to be escaping it when you display it back onto your website somewhere. If not, then the user could type HTML or Javascript and thus you have an XSS vulnerability. Right now, you're escaping before it gets to your database. Typically this isn't the way to go. It's better to escape as close to output as possible, as that way you are sure that all content, no matter its origin, is safe to display.

[moose-en-a-gant]

 

It's better to escape as close to output as possible, as that way you are sure that all content, no matter its origin, is safe to display.

 

I'd like to implement that from here on out.

 

Just as a refresher, to do that what would I do?

 

Query the database for the information, pass it through the escape function and then output that? Is that enough or ?

 

XSS is a real acronym? cross-site scripting, hmm nice

[scootstah]

I'd like to implement that from here on out.

 

Just as a refresher, to do that what would I do?

 

Query the database for the information, pass it through the escape function and then output that? Is that enough or ?

 

XSS is a real acronym? cross-site scripting, hmm nice

Yes, if you run your output variables through htmlspecialchars() first you'll be safe. You could also use a templating library such as Twig, which automatically sanitizes output data.

 

XSS stands for cross-site scripting, yes. Cross-site scripting is when a user is able to inject client-side code into your page.

[moose-en-a-gant]

Alright.

 

Well thank you very much for your help.

 

And the further explanation.

Edited February 4, 2015 by moose-en-a-gant