MokoConsulting/MokoSuiteOpenGraph
1
0
Fork 0
Code Issues 3 Pull Requests Releases 1 Wiki Activity

Add input sanitization on OG values (defense-in-depth) #79

New Issue
Closed
opened 2026-06-23 13:32:58 +00:00 by jmiller · 1 comment
jmiller commented 2026-06-23 13:32:58 +00:00
Owner
Copy Link
Copy Source

Summary

While OG values are escaped on output via Joomla's setMetaData() API, there is no explicit sanitization on input when saving to the database. Adding input sanitization provides defense-in-depth against stored XSS.

Current State

  • Output escaping: YES (via Joomla API) — safe against reflected XSS
  • Input sanitization: NO — raw user input stored in #__mokoog_tags
  • TagTable::check() validates structure (length, format) but doesn't strip HTML/scripts

Recommendation

Add InputFilter::clean() or strip_tags() to text fields (og_title, og_description, seo_title, meta_description) in TagTable::check() or MokoOGContent::onContentAfterSave().

Impact

Low risk currently (output is escaped), but defense-in-depth is best practice for extensions that store user-provided content.

## Summary While OG values are escaped on output via Joomla's `setMetaData()` API, there is no explicit sanitization on input when saving to the database. Adding input sanitization provides defense-in-depth against stored XSS. ## Current State - Output escaping: YES (via Joomla API) — safe against reflected XSS - Input sanitization: NO — raw user input stored in `#__mokoog_tags` - TagTable::check() validates structure (length, format) but doesn't strip HTML/scripts ## Recommendation Add `InputFilter::clean()` or `strip_tags()` to text fields (og_title, og_description, seo_title, meta_description) in TagTable::check() or MokoOGContent::onContentAfterSave(). ## Impact Low risk currently (output is escaped), but defense-in-depth is best practice for extensions that store user-provided content.
jmiller added this to the Code Quality & Testing milestone 2026-06-23 13:32:58 +00:00
jmiller added the security label 2026-06-23 13:32:58 +00:00
jmiller commented 2026-06-23 13:33:06 +00:00
Author
Owner
Copy Link
Copy Source

Branch created: feature/79-add-input-sanitization-on-og-values-defe

git fetch origin
git checkout feature/79-add-input-sanitization-on-og-values-defe
Branch created: [`feature/79-add-input-sanitization-on-og-values-defe`](https://git.mokoconsulting.tech/MokoConsulting/MokoSuiteOpenGraph/src/branch/feature/79-add-input-sanitization-on-og-values-defe) ```bash git fetch origin git checkout feature/79-add-input-sanitization-on-og-values-defe ```
Sign in to join this conversation.
Labels
Clear labels
bug
Something is broken
 documentation
Documentation improvements
 enhancement
production-readiness
Required before v1.0 release
 security
Security vulnerability or hardening
 testing
Test coverage and QA
No labels security
Priority Medium
Type Feature
Milestone
No items
No Milestone Code Quality & Testing
Assignees
Clear assignees
jmiller (Jonathan Miller)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoSuiteOpenGraph#79
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?