COmanage Developers List

[Arlen Johnson <>]

Unless anyone disagrees, I'm going to start using the php standard filtering (see http://php.net/manual/en/book.filter.php) when we need to add user generated output to the Views -- as part of that, I can begin replacing the Sanitize:: filters when I run across them.

This relates to ticket https://bugs.internet2.edu/jira/browse/CO-667

Currently, there are 414 references to "Sanitize::" inside app/ (480 if you include everything).

The mappings from CakePHP Sanitize to php filters depend largely on the options passed to Sanitize, but a rough mapping is as follows:

• Sanitize::paranoid = FILTER_SANITIZE_FULL_SPECIAL_CHARS (or FILTER_SANITIZE_STRING depending on need).
  
  
• Sanitize::html = FILTER_SANITIZE_STRING with options to strip or encode special characters, as needed
  
  
• Sanitize::escape -- this is used 6 times, mostly for escaping SQL.  There are a number of approaches, though the best are mostly database dependent.  One approach is FILTER_SANITIZE_MAGIC_QUOTES (which essentially applies addslashes()).  Not sure if we can use prepared statements where these are in use.
  

There is also Sanitize::clean, but we're not using it in app/

If it is desired, I could march through all instances of Sanitize (except Sanitize::escape) and replace them, rather than take a piecemeal approach.  I defer the Sanitize::escape to those of a more back-end dev leaning.  (-:

Arlen