#6285: Sanitize::clean($this->data) breaks Security Component
    Reporter:  michaelc                     |          Type:  Bug      
      Status:  new                          |      Priority:  Medium   
   Milestone:  1.2.x.x                      |     Component:  Core Libs
     Version:  1.2 Final                    |      Severity:  Normal   
    Keywords:  sanitize security clean all  |   Php_version:  n/a      
Cake_version:                   |  
 Introduction: I had this 'bright' idea to sanitize $this->data in the
 app_controller's beforeFilter.  This invariably triggers a black hole
 callback - and I think I know why.  After puttering around, I found this:

 array ( '_Token' => array ( 'key' =>
 '78399c8d84d7465a6e9b357b1738b8a2c7d7c8dc', 'fields' =>
 ), ...[[BR]]
 $this->data = Sanitize::clean($this->data):[[BR]]
 array ( '_Token' => array ( 'key' =>
 '78399c8d84d7465a6e9b357b1738b8a2c7d7c8dc', 'fields' =>
 ), ...[[BR]]

 [[BR]]See the difference?  Me neither...  But!
 Error @ pos 147 DIFF:
 cc3380bc08faa31b53df % 3An%3A2%3A%7Bv%3A0%3
 cc3380bc08faa31b53df % 3An%3A2%

 I've added spaces around the changed content - it was still identical in a
 visual scan until I added a red span around the bad character.  Note the
 shorter length of the second string?  Both go out to 20 chars after the
 error - but I only broke up the first escape sequence with a span - the
 rest display as %.

 Sanitize::clean html entity encodes '%', which Sanitize requires to be
 unmodified in the string.

 [[BR]]Solution?  -- Sanitize clean ignores _Token, or perhaps Security
 component reverses the encoding process, or Security component uses
 something other than % as a pivot which Sanitize::html won't encode

 [[BR]] {{{ $this->data = Sanitize::clean($this->data,
 array('encode'=>false)); }}} is not the type of answer I'm looking for
 here - I'm suggesting that the Sanitization and the Security Component
 play nicely with the default configuration.

 [[BR]]Alternate resolution: If Sanitizing all of $this->data is simply a
 bad idea - suggest that as your motivation for closing it, and toss in a
 thought or two about why.  Some exist.

Ticket URL: <https://trac.cakephp.org/ticket/6285>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design 
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. 
Our primary goal is to provide a structured framework that enables PHP users at 
all levels to rapidly develop robust web applications, without any loss to 
You received this message because you are subscribed to the Google Groups 
"tickets cakephp" group.
To post to this group, send email to tickets-cakephp@googlegroups.com
To unsubscribe from this group, send email to 
For more options, visit this group at 

  • [CakePHP : The Rapid Dev... CakePHP : The Rapid Development Framework for PHP

Reply via email to