Sanitizers

PHP Engine only

A sanitizer transforms malicious characters of a source into a safe character set, such that the source can be safely used in a sensitive sink.

For example, a type cast transforms a string into a numerical value that does not allow malicious characters and is thus safe to use in a sensitive sink. Encoding (urlencode()), escaping (addslashes()), or converting (htmlentities()) are other types of sanitization for a specific markup context. PHP is shipped with a variety of built-in sanitization functions that are automatically detected by RIPS. Furthermore, RIPS detects custom sanitization mechanisms that, for example, rely on string replacement or regular expressions.

In case a sanitizer was not identified correctly during analysis or in case the sanitizer is not defined within the analyzed code, additional sanitizers can be configured in this section. For each function or method that returns sanitized data, please specify the number of the sanitized parameter (starting with "1") and the sanitized characters. Based on the specified characters, RIPS then decides against which vulnerability types the data is safe. Please refer to the code examples for further details.

The characters are read in individually, i.e. they do not have to set a separation between the characters. If you want to express that your sanitizer is sanatized against all kinds of vulnerabilities, you can enter the magic word 'all' in the field. Thus, any value processed by the function will be protected against any kind of security flaw.

Adding PHP function as sanitizer