Central place for output sanitizing (was Re: [development] more consistency in theme functions and output concepts.)

Adrian Rossouw adrian at bryght.com
Fri May 12 08:41:34 UTC 2006

On 12 May 2006, at 9:37 AM, Bèr Kessels wrote:

> I was not referring to the filtering system itself. The part that  
> filters
> nodes and comments works pretty well IMO. I was referring to things  
> like
> where a module collects Foo (outside the node/comment system) as  
> input and
> e-g prints them in a list. If that module developer forgets to call  
> the
> proper filters for the Foos we have a security hole. Views module,  
> e.g. does
> this very well, but imagine a module like that with all the input not
> sanitizing. Yes, those places are only accessible by admins. But  
> no: having
> something in the admin area is not a reason for not sanitizing HTML.
Yup, then i believe the 'model' part of fapi 2.0 is the best place to  
do it.
We can't even start working on that until the menu / callback system  
is refactored/fixed.

I'll write up a spec about what I'd like to see happen to the menu  

Adrian Rossouw
Drupal developer and Bryght Guy
http://drupal.org | http://bryght.com

More information about the development mailing list