Are you ready?
| donP |
|
|---|---|
# Trustmaster : Koradhil means that an experienced hacker would make a special formed HTML page himself to submit unfiltered POST data, so server-side filtering with HTML-purifier is still required.So we have to filter ALL contents? I was hoping we only had to filter pages/forums fields when submitting them, to speed-up HTMLPurifier process calling it only at submitting moment, not to filter all HTMLoutput content at displaying moment...  Why we couldn't make a security gate prohibiting the inclusion of HTML code except through Cotonti core files (from a regular logged user passing through HTMLPurifier)? Added 13 hours 7 minutes later: I think we would put this topic sticky and send a massPM or mail newsetter to reach all Cotonti users and asking them about this important argument... in [color=#729FCF][b]BLUES[/b][/color] I trust
|
|
| This post was edited by donP (2010-04-16 06:05, 14 years ago) |
