Central place for output sanitizing (was Re: [development] more consistency in theme functions and output concepts.)

Bèr Kessels ber at webschuur.com
Fri May 12 07:37:47 UTC 2006

Op donderdag 11 mei 2006 19:33, schreef Adrian Rossouw:
> Meanwhile,  perhaps we can look at implementing this in  theme()  
> since we will be working on that anyway?

sounds like a plan.

However, my initial plan / proposal was nothing technical. We are developers, 
and therefore tend to look at technical solutions for all our problems :)

What I tried to propose is just a guideline. Something that says: 
"if you print raw data in your HTML in a theme function, you should always 
sanitize it in that theme function".
or even
"All your raw data needs to be cleaned out before sending it to the theme 

This is not an immediate solution, but at least it allows us to work towards 

I was not referring to the filtering system itself. The part that filters 
nodes and comments works pretty well IMO. I was referring to things like 
where a module collects Foo (outside the node/comment system) as input and 
e-g prints them in a list. If that module developer forgets to call the 
proper filters for the Foos we have a security hole. Views module, e.g. does 
this very well, but imagine a module like that with all the input not 
sanitizing. Yes, those places are only accessible by admins. But no: having 
something in the admin area is not a reason for not sanitizing HTML.

Now if theme_item_list filters out the abovementioned lists already, then the 
module developer can lean back and know security is taken care of, while we 
can lean back and know that the amount of critical holes in contribs has 
grown smaller (has anyone ever done an audit on contribs?)

More information about the development mailing list