stevebauman/purify

Booleans are nullified

Closed this issue · 3 comments

stardothosting commented

Hello,

I noticed after implementing this as middleware for all incoming request input that when a boolean is passed to Purify, it simply nullifies the input.

In my failing tests, this generates an error because the input passed is nullified :

'boolean_field' => false,

If I switch the above field to the following , it works :

'boolean_field' => 0,

Any ideas?

stevebauman commented

Hi @stardothosting,

Can you post your middleware and also your test?

stardothosting commented

@stevebauman,

I have this integrated into a Laravel 8.x web application , here is the middleware :

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Stevebauman\Purify\Facades\Purify;

class XssSanitization
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response|\Illuminate\Http\RedirectResponse)  $next
     * @return \Illuminate\Http\Response|\Illuminate\Http\RedirectResponse
     */
    public function handle(Request $request, Closure $next)
    {
        $input = $request->all();
        array_walk_recursive($input, function(&$input) {
            $input  = Purify::clean($input);
        });
        $request->merge($input);
        return $next($request);
    }
}

And the test basically simulates a POST submission of form data and checks the database for expected results

public function test_post_submit()
    {
        $response = $this->actingAs($user)
            ->post('/controller/registration/save/first', [
                'offroad' => '0',
            ]);
       $this->assertEquals(422, $response->getStatusCode());
    }

If I change the middleware to basically bypass the Purify filter if null, boolean or integer, it bypasses the problem :

$input = (is_bool($input) || is_int($input) || is_null($input) ? $input : Purify::clean($input));

stevebauman commented

Hi @stardothosting,

I wouldn't recommend filtering all request input with Purify, as the core HTMLPurifier library will manipulate it in some way that you don't expect. Purifier should only be run on input that is expected to be HTML -- not globally across all input sources such that may contain booleans, integers, decimals, files, etc.