Re: [Phpgroupware-developers] phpgw/ck-erp validation against "<..>"

[Chris Weiss]

I don't see where phpgwapi would require unvalidated tags in user
input, or html tags at all where any sort of input is parsed.

in fact, I don't see why phpgwapi would care at all about user input. 
except for methods that directly interact with the user, the api's
don't differenciate between user input and hard coded developer input,
that's why the developer needs to valid the user input.

idealy, forms shold be submited to an apps UI methods, either the UI
or the BO does input validation, then the app can send the sanitized
data to the phpgwapi classes.  non-UI phpgwapi classes don't touch
user inputs at all, it's up to you to grab the inputs and send it to
the phpgwapi.  For the phpgwapi UI classes, they should already be
validating the inputs so you shouldn't need to worry about it... but
feel free to double check the methods you use just to be sure :)


On Tue, 10 Aug 2004 10:12:30 +0800, C K Wu <address@hidden> wrote:
> Hi, folks,
> 
> I am contemplating adding input validation against "...<..>..." within
> CK-ERP environment to minimize the risk of crosss site scripting.
> 
> However, I am mindful of the following situation,
> 
> page request
> -> phpgwapi (requiring <..>)
> -> ck-erp modules (rejecting request because of embedded <..>)
> -> [in case of normal exit] phpgwapi (requiring <..>)
> 
> Would this happen in real operation ?  If so, is it a rare occasion,
> that I can handle as special cases ?
> 
> Any suggestions or comments welcomed.
> 
> Cheers,
> CK
> 
> _______________________________________________
> Phpgroupware-developers mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/phpgroupware-developers
> 
>