Project

General

Profile

Feature #1400

Create a new HTML filter for every content added by user

Added by Julio Montoya about 9 years ago. Updated over 6 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
28/05/2010
Due date:
% Done:

0%

Estimated time:
6.00 h
Complexity:
Challenging
SCRUM pts - complexity:
20

Description

Yes, we have the Security::remove_XSS that help us preventing the XSS attack in $_GET, $_POST, etc variables.
But, what happened with content added by a trustful user?

When we add content to the database, we use the Database::escape_string function that prevent the sql inyection. But that's it?
What I proposed is to use the Security::remove_XSS (we can renamed the function's name) for every user's saved content.


Related issues

Related to Chamilo LMS - Bug #1450: HTMLPurifier taking too much memory in forumBug resolved03/06/201004/06/2010

Actions

History

#1

Updated by Yannick Warnier about 9 years ago

This has more implications than you think, but it is the right way to do it. Problems will happen if the content is already filtered for output, in the database.

#2

Updated by Yannick Warnier about 9 years ago

  • Target version set to 1.8.7.1
#3

Updated by Yannick Warnier almost 9 years ago

  • Target version changed from 1.8.7.1 to 1.8.8 stable
#4

Updated by Ivan Tcholakov almost 9 years ago

I saw an article at http://www.phparch.com/2010/07/08/never-use-_get-again/
It is about functions like filter input() and claims that since PHP 5.2 filtering becomes a trivial thing.
The filter extension is enabled by default as of PHP 5.2.0.

#5

Updated by Yannick Warnier over 8 years ago

  • Target version changed from 1.8.8 stable to 1.8.8.4
  • Estimated time set to 6.00 h
  • Complexity changed from Normal to Challenging
  • SCRUM pts - complexity changed from ? to 20

Ivan Tcholakov wrote:

I saw an article at http://www.phparch.com/2010/07/08/never-use-_get-again/
It is about functions like filter input() and claims that since PHP 5.2 filtering becomes a trivial thing.
The filter extension is enabled by default as of PHP 5.2.0.

Nice article indeed. We should definitely go in that direction. This might also be related to the other bug I've seen around here with HTMLPurifier. Too late (in my opinion) to put it into 1.8.8 though. It requires analysis and rewriting the Security.lib.php lib.

#6

Updated by Yannick Warnier almost 8 years ago

  • Target version changed from 1.8.8.4 to 1.9 Stable
#7

Updated by Yannick Warnier about 7 years ago

  • Target version changed from 1.9 Stable to 1.9.2
#8

Updated by Yannick Warnier almost 7 years ago

  • Target version changed from 1.9.2 to 1.9.4
#9

Updated by Julio Montoya over 6 years ago

  • Target version changed from 1.9.4 to 3.0

Also available in: Atom PDF