[documentation] PHP snippets (once again)
Fergus - m3m
fergus at modernmediamuse.com
Mon May 8 15:50:01 UTC 2006
Hi Kieran, you wrote on 07/05/2006 16:47:24:
>> Dear doc team,
>>
>> I looked at several snippets yesterday and to my horror many of
>> them contain *obvious*, major security holes. I've spoken with the
>> leader of the security team (chx) and we agreed to unpublish all
>> obviously insecure snippets, then have a discussion based on
>> numbers (ok vs. not ok) and how to proceed.
>>
>> In the limited sample set I've reviewed until now > 50% of the
>> snippets either
>>
>> - bypass 'access' security (sometimes titles, sometimes full nodes)
>> - allow XSS
>> - allow SQL injection
>> - allow a combination of the above
>
>Snippets are driven by Fergus. Fergus, what do you want us to do?
>
>Kieran
I haven't seen any insecure snippets Keiran, but, any *obvious* nasty ones should be removed.
to answer your question "what do you want us to do?"
I suggest we leave in the warning that is on every snippet that is submitted correctly and don't approve any handbook pages that have any *obvious* security holes.
Fergus
More information about the documentation
mailing list