Add `preg_quote()` to sanitizing functions ?

[jrfnl]

Just wondering if preg_quote() would be a valid sanitizing function - obviously should only be used for regex context, but in that context it might be the best way to go or would other sanitation be needed as well ?

[westonruter]

I suppose it would be a valid sanitizing function when the input is used in a PREG function.

[JDGrimes]

What if the value is being passed to preg_replace(), and capture patterns are being used? Now you have a vector for inserting arbitrary HTML into a string (or anything else that might be useful to exploit, depending on how this string is then used). Definitely some other form of sanitization is required. (Also, think about the potential for DOS by passing really expensive regexes, though that is a separate issue.)

[jrfnl]

What if the value is being passed to preg_replace(), and capture patterns are being used? Now you have a vector for inserting arbitrary HTML into a string (or anything else that might be useful to exploit, depending on how this string is then used).

AFAICS that is an output escape issue, not necessarily an input sanitization one.

Also, think about the potential for DOS by passing really expensive regexes, though that is a separate issue.)

Actually, that's exactly what preg_quote() sanitizes - you pass it an arbitrary string ( = your expensive regex) and it escapes any characters which would have special meaning in regex context, making the expensive regex innocent as it is now a literal string.

[JDGrimes]

AFAICS that is an output escape issue, not necessarily an input sanitization one.

Well, isn't that true of all input? 😉 But I'd still say that in this case I would usually sanitize the string to match the expected form of input, in addition to passing it through preg_quote().

Actually, that's exactly what preg_quote() sanitizes

Ah, I forgot that it didn't just escape the delimiter. Probably it would still be a good idea to have a length limit, but of course that's still a completely separate issue.