Central place for output sanitizing (was Re: [development] more consistency in theme functions and output concepts.)

Bèr Kessels ber at webschuur.com
Thu May 11 17:07:57 UTC 2006

I think we should aks the people working on the new output system what they 
thnk, or plan.

Op donderdag 11 mei 2006 14:28, schreef Dries Buytaert:
> > > I think this is a pretty bad idea. This way every themer has a chance
> > > to remove our XSS checks.
> >
> > Sounds fair.
> >
> > However, we now do *not* have a central place. Quite some of our
> > checks/filters DO appear in theme functions!
> Having a central place sounds like a particularly good idea, IMO.  I
> usually don't use contributed module because they are prone to
> security issues.  If all the escaping was (forced to be) done in a
> central place, it would be ten times easier to audit the code (before
> installing it).  Whether this is feasible in the theme layer, I don't
> know.  I do know, however, that I like the idea.

Bottomline: We could do better, security-wise, if we have either agreements on 
where sanitzing should happen, or if we have such a layer built into Drupal 

I recall some people working on a new concept for outputting "stuff". Building 
on top of Fapi. Using concepts from fapi.

Is this part of your plans? Or should we look for a solution that is not in 
that layer?


More information about the development mailing list