Are you ready?
| donP |
|
|---|---|
# Trustmaster : Koradhil means that an experienced hacker would make a special formed HTML page himself to submit unfiltered POST data, so server-side filtering with HTML-purifier is still required.So we have to filter ALL contents? I was hoping we only had to filter pages/forums fields when submitting them, to speed-up HTMLPurifier process calling it only at submitting moment, not to filter all HTMLoutput content at displaying moment...  Why we couldn't make a security gate prohibiting the inclusion of HTML code except through Cotonti core files (from a regular logged user passing through HTMLPurifier)? Added 13 hours 7 minutes later: I think we would put this topic sticky and send a massPM or mail newsetter to reach all Cotonti users and asking them about this important argument... in [color=#729FCF][b]BLUES[/b][/color] I trust
|
|
Відредаговано: donP (16.04.2010 06:05, 15 років тому) |
