Central place for output sanitizing (was Re: [development] more
consistency in theme functions and output concepts.)
Adrian Rossouw
adrian at bryght.com
Fri May 12 08:41:34 UTC 2006
On 12 May 2006, at 9:37 AM, Bèr Kessels wrote:
>
> I was not referring to the filtering system itself. The part that
> filters
> nodes and comments works pretty well IMO. I was referring to things
> like
> where a module collects Foo (outside the node/comment system) as
> input and
> e-g prints them in a list. If that module developer forgets to call
> the
> proper filters for the Foos we have a security hole. Views module,
> e.g. does
> this very well, but imagine a module like that with all the input not
> sanitizing. Yes, those places are only accessible by admins. But
> no: having
> something in the admin area is not a reason for not sanitizing HTML.
>
Yup, then i believe the 'model' part of fapi 2.0 is the best place to
do it.
We can't even start working on that until the menu / callback system
is refactored/fixed.
I'll write up a spec about what I'd like to see happen to the menu
system.
--
Adrian Rossouw
Drupal developer and Bryght Guy
http://drupal.org | http://bryght.com
More information about the development
mailing list