Got Soft Rejection for Data validation

martExtensions · July 5, 2020, 8:42am

Hello,

I got this comment by reviewer -

STILL. Data Validation issues have been found. Do a global search for “echo $”.

All dynamic data must be correctly escaped for the context where it is rendered.

I don’t understand this.I have uploaded the plugin in Opencart.I have search about it but this is related with wordpress and esc_attr () used to escape the data but when i use this in my file like this https://prnt.sc/tc3ine it goes to blank https://prnt.sc/tc3iw2

Can you please help me to sort it?

baileyherbert · July 5, 2020, 10:02am

If it’s going blank, then you might be getting a fatal error.

Is WP_DEBUG set to true?
Try viewing the page’s source too; if the error is within an attribute it may not show during rendering.

martExtensions · July 5, 2020, 10:04am

I am using Opencart not wordpress. Can you help me with this ?

baileyherbert · July 5, 2020, 10:41am

Oh, yeah esc_attr is for WordPress only. I’ve never really touched Opencart, but it looks like they don’t have any built-in helper functions like that. I’d suggest you do two things:

Go research what an “XSS attack” is to understand why your code was rejected.
Look up PHP’s htmlspecialchars function and use it to escape data before you echo it.

Example –

function esc_html($string) {
    return htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
}

echo esc_html('<script />'); // &lt;script /&gt;

martExtensions · July 5, 2020, 10:42am

ok Thanks let me try this.

martExtensions · July 5, 2020, 11:01am

Do i need to use this function for all stings or only for html description ?

baileyherbert · July 5, 2020, 11:06am

Did you research XSS?

You should escape anything and everything that you echo. What if $button_save or $header contains HTML code? A malicious script tag that redirects the user? Bitcoin mining from an attacker?!

Right now, this code is full of security vulnerabilities:

Perhaps some of those variables are validated elsewhere and considered safe. But it won’t hurt to escape it anyways, especially if user input is involved.

martExtensions · July 5, 2020, 11:35am

Yes i searched XSS.I have used the htmlspecialchars https://prnt.sc/tc5dbv but it gives me all html on output like
before - https://prnt.sc/tc5e07
after - https://prnt.sc/tc5e5s

Opencart is MVC structure so before echo it can escape the string in controller.
I am little confused.Can any opencart developer help me ?

baileyherbert · July 5, 2020, 11:49am

If you intend for a variable to contain HTML, then don’t escape it. But other than that, you should escape everything.

mgscoder · July 5, 2020, 11:52am

I am not opencart dev but you can follow this:

<?php echo htmlentities($breadcrumb['href']); ?>

<?php echo htmlentities($breadcrumb['text']); ?>

You have to escape all data before render.

martExtensions · July 5, 2020, 11:56am

Ok Thanks i will do it.

baileyherbert · July 5, 2020, 11:56am

Be careful calling htmlentities without the second/third arguments though - it won’t behave reliably on different PHP versions and single quotes will be vulnerable. htmlspecialchars is equally safe but outputs less characters (e.g. htmlentities will escape unicode).

In general the “golden” arguments are ($string, ENT_QUOTES, 'UTF-8')