I Made a Mistake

So, recently I made a mistake.

Several, actually.

I was tasked with eliminating some cross-site scripting (XSS) vulnerabilities in Punchmark’s framework. A simple but tedious task. Basically just had to filter user content for HTML tags and clean it before storing it.

To make the task a bit faster, I used a feature of my text editor that allows me to mark multiple cursor points and type from all of them at the same time. This way, I could mark multiple areas where user input was handled and wrap them all in a XSS cleaning function.

This tool I quickly wrapped all the areas and saved my changes on the live server. I felt confident that everything would work fine since the function was tested and worked and I wasn’t altering any pre existing code.

However, I quickly started getting complaints. Pages were broken across all client’s sites. Turn’s out my text editor was not closing some of those function calls and causing syntax errors. I ran all the code through a PHP linter and fixed dozens more of similar errors.

Over the next few days clients were reporting weird text and characters appearing on their sites. The function I had written was too strict and was filtering all HTML entities. The result was some garbled text viewable to clients and their customers on their websites.

The function was replaced and all is well again. A few clients noticed and a few dozen customers were momentarily confused.

But I learned to ALWAYS test what I write and never trust something blindly. Since, I’ve installed a PHP linter in my editor to catch such errors and I’ve made a point to myself to always ask questions when in doubt.

Leave a Reply

Your email address will not be published. Required fields are marked *