Why arg function does not have check_plain for XSS prevention?
Hello All,
I have been using arg() function (example arg(0), arg(1)) for many years without realizing that it is unsecured from XSS attacks and it needs to be enclosed within check_plain() to make it sage.
It seems following function is unsecure and we should enclose $_GET['q'] with check_plain():
function arg($index = NULL, $path = NULL) {
static $arguments;
if (!isset($path)) {
$path =$_GET['q'];
}
if (!isset($arguments[$path])) {
$arguments[$path] = explode('/', $path);
}
if (!isset($index)) {
return $arguments[$path];
}
if (isset($arguments[$path][$index])) {
return $arguments[$path][$index];
}
}
as follows for XSS attack prevention:
function arg($index = NULL, $path = NULL) {
static $arguments;
if (!isset($path)) {
$path =check_plain($_GET['q']);
}
if (!isset($arguments[$path])) {
$arguments[$path] = explode('/', $path);
}
if (!isset($index)) {
return $arguments[$path];
}
if (isset($arguments[$path][$index])) {
return $arguments[$path][$index];
}
}
Any reason why we do not put check_plain here and leave it for developers to enclose their args with check_plain?
thanks a lot,
Sudeep