[pLog-svn] r6443 - plog/branches/lifetype-1.2/templates/admin
Reto Hugi
plog at hugi.to
Mon May 5 15:05:26 EDT 2008
On 05/05/2008 08:47 PM, Jon Daley wrote:
> On Mon, 5 May 2008, reto at devel.lifetype.net wrote:
>> guess I was too optimistic with the release. We really should take time
>> and rethink our input validation.
> Yes, I agree.
>
> One thing I don't like about these fixes in the templates, is why are we
> displaying stuff that needs to be escaped at all - if the data is invalid,
> why display it at all? Or maybe better said, why is this filtered on the
> template level instead of the action or view level?
I totally agree. The problem is, that we usually do it like that
1. store raw request
2. validate request
if valid
3. filter request
if not valid
3. directly go to error view
now, the error view get's all the params (including all requests) from
admintemplatedview.class.php and there is no filtering -> xss
vulnerability on failed validation.
now, what I'm trying to do right now is filtering all the params in
admintemplatedview.class.php before it get's assigned to smarty. I think
this way, we have filtered out all requests right before the output to
the browser, and that's exactly where we should do the filtering.
everything else on a higher level should only be validation (but strict
validation, so that only really acceptable data get's processed!)
Do you guys agree?
More information about the pLog-svn
mailing list