[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Dolibarr-dev] Security improvement and new library
|
From: |
Destailleur Laurent |
|
Subject: |
Re: [Dolibarr-dev] Security improvement and new library |
|
Date: |
Fri, 19 Sep 2014 12:54:00 +0200 |
I agree we can't rely on user data.
There is already a light "HTMLpurifier" into dolibarr (it is not based
on external lib, but included into core code of Dolibarr, lighter than
HTMLpurifier but really really faster).
However, i am not sure we must rely on such tools. They filters string
we don't want to filter and forgot other.
It is better to rely on good practice that are escaping string
wherever we should escape string.
This is escaping and sanitizing function we MUST use everywhere and is
the only full secure solution (the internal dolibarr purifier is only
to complete, but can't be reliable):
For js: dol_escape_js
For sql: $db->escape
For html: dol_escape_htmltag or dol_html_entities
2014-09-15 16:26 GMT+02:00 [Kreiz IT]Cédric GROSS <address@hidden>:
> Hello there,
>
>
>
> I had a look on http://htmlpurifier.org. This library clean up var against
> wished HTML tag.
>
> I think including this library in Dolibarr could greatly improve security
> especially for fields where fckeditor used.
>
>
>
> What do you think ?
>
>
>
> Cedric
>
>
>
>
> _______________________________________________
> Dolibarr-dev mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
>
--
Laurent Destailleur (alias Eldy)
------------------------------------------------------------------------------------
Social networks of my OpenSource projects:
Dolibarr Google+: https://plus.google.com/+DolibarrOrg/
Dolibarr Facebook: https://www.facebook.com/dolibarr
Dolibarr Twitter: http://www.twitter.com/dolibarr
AWStats Google+: https://plus.google.com/+AWStatsOrgPoject/
AWStats Facebook: https://www.facebook.com/awstats.org
AWStats Twitter: http://www.twitter.com/awstats_project