Why is it recommended to sanitize Wordpress Customizer select boxes, check boxes and radio buttons?

Question

Dear Wordpress developers

I have been unable to find a clear answer to this question, which is inspired by this post by jared about sanitization and this article by Theme Foundation about the Theme Customizer. Particularly, here is a quote from the latter:

If the input is a 1 (indicating a checked box) then the function returns a one. If the input is anything else at all, the function returns a blank string. This prevents anything harmful from being saved to the database.

That last line about preventing harmful things from being saved to the database is something we can all agree to, I guess. But what I don't get is how you can get harmful anything from a checkbox - unless you make programming errors - since there are only two possible values?

So if sanitization in such cases are there to prevent just that: "data corruption" due to programming errors, I don't know if it is a good or a bad thing.

I think it only makes sense to sanitize data when your inputs are text or textfields - at least when protection against harmful stuff is your goal. I get that you sometimes need to format the data to make them useful, but that is a different subject.

Answer 1

That last line about preventing harmful things from being saved to the database is something we can all agree to

The thing is that "harmful" is very much about context. JavaScript in the database isn't harmful on its own - it is only "harmful" if output to HTML in another user's session. The upshot of it is that this type of vulnerability (XSS) is better dealt with via output encoding. That is, when the content is output to the page then it should be HTML encoded. This would make a script tag be output as <script;> which does nothing more than actually output the literal <script> to the displayed page.

But what I don't get is how you can get harmful anything from a checkbox - unless you make programming errors - since there are only two possible values?

Not if an attacker manipulates the POSTed data. For example, if your checkbox is defined as

<input type="checkbox" name="agreeToTCs" />

this would send agreeToTCs=on to your application when checked.

An attacker could manipulate the POST request though and change this to agreeToTCs=evil . This is the equivalent of specifying

<input type="checkbox" name="agreeToTCs" value="evil" />

in the HTML and the box being checked.

Why is it recommended to sanitize Wordpress Customizer select boxes, check boxes and radio buttons?

All this boils down to is that your application should only be handling valid data. As a quick example imagine a system that lets you select a user level for a new user when creating one. Part of the system design only lets you specify a user equal or lower than yourself. This is to prevent a low level of user from creating an admin account then gaining full privileges. Say if you are logged in as a medium level user the HTML for the drop down may be rendered as follows:

<select name="userLevel">
  <option value="low">low</option>
  <option value="medium">medium</option>
</select>

and when this is POSTed to the server eg userLevel=medium is sent. However, an attacker may be able to manipulate the POSTed data to userlevel=admin and create themselves an admin user. "Sanitizing" the checkbox again on postback makes sure that your application is only accepting valid values.