[pmwiki-users] Custom PageVariables from request strings: critical vulnerability
list_ob at gmx.net
Sat Feb 27 05:58:22 CST 2016
Petko Yotov wrote 2015-12-19:
> This message concerns you if your wiki creates custom page variables
> which get their values from request strings like the URL address of the
> The previously documented recommended way to sanitize such values can
> allow PHP code injection in some cases.
> The following is very insecure:
> $FmtPV['$Var'] = $_REQUEST['Var']; # insecure
> $FmtPV['$Var'] = '"'. addslashes($_REQUEST['Var']).'"'; # insecure
is htmlspecialchars vulnerable?
More information about the pmwiki-users