Central place for output sanitizing (was Re: [development] more
consistency in theme functions and output concepts.)
Bèr Kessels
ber at webschuur.com
Thu May 11 17:07:57 UTC 2006
I think we should aks the people working on the new output system what they
thnk, or plan.
Op donderdag 11 mei 2006 14:28, schreef Dries Buytaert:
> > > I think this is a pretty bad idea. This way every themer has a chance
> > > to remove our XSS checks.
> >
> > Sounds fair.
> >
> > However, we now do *not* have a central place. Quite some of our
> > checks/filters DO appear in theme functions!
>
> Having a central place sounds like a particularly good idea, IMO. I
> usually don't use contributed module because they are prone to
> security issues. If all the escaping was (forced to be) done in a
> central place, it would be ten times easier to audit the code (before
> installing it). Whether this is feasible in the theme layer, I don't
> know. I do know, however, that I like the idea.
Bottomline: We could do better, security-wise, if we have either agreements on
where sanitzing should happen, or if we have such a layer built into Drupal
itself.
I recall some people working on a new concept for outputting "stuff". Building
on top of Fapi. Using concepts from fapi.
Is this part of your plans? Or should we look for a solution that is not in
that layer?
Bèr
More information about the development
mailing list