Central place for output sanitizing (was Re: [development] more
consistency in theme functions and output concepts.)
ber at webschuur.com
Fri May 12 07:37:47 UTC 2006
Op donderdag 11 mei 2006 19:33, schreef Adrian Rossouw:
> Meanwhile, perhaps we can look at implementing this in theme()
> since we will be working on that anyway?
sounds like a plan.
However, my initial plan / proposal was nothing technical. We are developers,
and therefore tend to look at technical solutions for all our problems :)
What I tried to propose is just a guideline. Something that says:
"if you print raw data in your HTML in a theme function, you should always
sanitize it in that theme function".
"All your raw data needs to be cleaned out before sending it to the theme
This is not an immediate solution, but at least it allows us to work towards
I was not referring to the filtering system itself. The part that filters
nodes and comments works pretty well IMO. I was referring to things like
where a module collects Foo (outside the node/comment system) as input and
e-g prints them in a list. If that module developer forgets to call the
proper filters for the Foos we have a security hole. Views module, e.g. does
this very well, but imagine a module like that with all the input not
sanitizing. Yes, those places are only accessible by admins. But no: having
something in the admin area is not a reason for not sanitizing HTML.
Now if theme_item_list filters out the abovementioned lists already, then the
module developer can lean back and know security is taken care of, while we
can lean back and know that the amount of critical holes in contribs has
grown smaller (has anyone ever done an audit on contribs?)
More information about the development