CleanFilterValue

Nov 7, 2013 at 10:44 AM
This caught me out in a security review. I hadn't properly considered the vulnerabilities in exposing my AD lookups through an API but the pen tester pointed out he could do LDAP injection (although admittedly he wasn't able to exploit this). At first I wrote my own character cleaning routine before I noticed a blog entry that mentioned CleanFilterValue() which I'm now using.

I guess most folks aren't doing what I was but it still seems surprising to me that this isn't the default. Why is it this way round?
Coordinator
Nov 7, 2013 at 12:55 PM
CleanFilterValue is always used with the exception of custom filters via Where("...") and the Filter class. The reasoning is that if you are using these options over the built in mapping you are performing some edge case so I didn't want to get in your way.

At one point I was cleaning values from the FIlter class. I think I will reintroduce that, but make it a configurable option. Cleaning values will still be up to you if you use a Where custom filter. Thanks for the feedback!