shahondin1624/Mitgliederverwaltung
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 16 Wiki Activity

InputSanitizer exists but is never called from controllers #163

New Issue
Closed
opened 2026-04-10 16:03:49 +02:00 by shahondin1624 · 0 comments
shahondin1624 commented 2026-04-10 16:03:49 +02:00
Owner
Copy Link
Copy Source

Severity: HIGH

Location

lib/Middleware/InputSanitizer.php, all controllers

Description

The InputSanitizer class provides sanitizeString(), sanitizeArray(), sanitizeDate(), etc., but no controller or service actually calls these methods. All user input from getRequestData() (JSON body) and $this->request->getParam() (query params) flows directly into services and database queries without sanitization.

Risk

While the ORM uses parameterized queries (preventing SQL injection), unsanitized strings are stored in the database. These could contain HTML/script payloads that, while currently escaped by Vue on render, could be exploited if data is ever rendered in a non-Vue context (e.g., emails, PDF exports, CalDAV sync).

Recommendation

Wire InputSanitizer into the ApiControllerTrait.getRequestData() method or apply it in service-layer create/update methods for all string fields.

## Severity: HIGH ## Location `lib/Middleware/InputSanitizer.php`, all controllers ## Description The `InputSanitizer` class provides `sanitizeString()`, `sanitizeArray()`, `sanitizeDate()`, etc., but no controller or service actually calls these methods. All user input from `getRequestData()` (JSON body) and `$this->request->getParam()` (query params) flows directly into services and database queries without sanitization. ## Risk While the ORM uses parameterized queries (preventing SQL injection), unsanitized strings are stored in the database. These could contain HTML/script payloads that, while currently escaped by Vue on render, could be exploited if data is ever rendered in a non-Vue context (e.g., emails, PDF exports, CalDAV sync). ## Recommendation Wire `InputSanitizer` into the `ApiControllerTrait.getRequestData()` method or apply it in service-layer `create`/`update` methods for all string fields.
shahondin1624 added the backendsecuritypriority:high labels 2026-04-10 16:03:49 +02:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
backend
Backend / PHP work
 bug
Bug report
 database
Database migrations and schema
 documentation
Documentation
 enhancement
Enhancement or improvement
 epic
Epic / feature-group issues
 frontend
Frontend / Vue.js work
 integration
Nextcloud integrations (Calendar, Contacts, Files)
 priority:high
High priority
 priority:low
Low priority
 priority:medium
Medium priority
 security
Security-related work
 testing
Tests and test infrastructure
No Label backend priority:high security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
shahondin1624
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: shahondin1624/Mitgliederverwaltung#163
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?