Got Soft Rejection for Data validation


I got this comment by reviewer -

  1. STILL. Data Validation issues have been found. Do a global search for “echo $”.

All dynamic data must be correctly escaped for the context where it is rendered.

I don’t understand this.I have uploaded the plugin in Opencart.I have search about it but this is related with wordpress and esc_attr () used to escape the data but when i use this in my file like this it goes to blank

Can you please help me to sort it?

If it’s going blank, then you might be getting a fatal error.

  • Is WP_DEBUG set to true?
  • Try viewing the page’s source too; if the error is within an attribute it may not show during rendering.

I am using Opencart not wordpress. Can you help me with this ?

Oh, yeah esc_attr is for WordPress only. I’ve never really touched Opencart, but it looks like they don’t have any built-in helper functions like that. I’d suggest you do two things:

  1. Go research what an “XSS attack” is to understand why your code was rejected.
  2. Look up PHP’s htmlspecialchars function and use it to escape data before you echo it.

Example –

function esc_html($string) {
    return htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

echo esc_html('<script />'); // &lt;script /&gt;

ok Thanks let me try this.

Do i need to use this function for all stings or only for html description ?

Did you research XSS? :wink:

You should escape anything and everything that you echo. What if $button_save or $header contains HTML code? A malicious script tag that redirects the user? Bitcoin mining from an attacker?!

Right now, this code is full of security vulnerabilities:

Perhaps some of those variables are validated elsewhere and considered safe. But it won’t hurt to escape it anyways, especially if user input is involved.

Yes i searched XSS.I have used the htmlspecialchars but it gives me all html on output like
before -
after -

Opencart is MVC structure so before echo it can escape the string in controller.
I am little confused.Can any opencart developer help me ?

If you intend for a variable to contain HTML, then don’t escape it. But other than that, you should escape everything.

I am not opencart dev but you can follow this:

<?php echo htmlentities($breadcrumb['href']); ?>
<?php echo htmlentities($breadcrumb['text']); ?>

You have to escape all data before render.

Ok Thanks i will do it.

Be careful calling htmlentities without the second/third arguments though - it won’t behave reliably on different PHP versions and single quotes will be vulnerable. htmlspecialchars is equally safe but outputs less characters (e.g. htmlentities will escape unicode).

In general the “golden” arguments are ($string, ENT_QUOTES, 'UTF-8')

1 Like