"xss_clean() doesn't" the second #2065

Closed
sourcejedi opened this Issue Dec 9, 2012 · 4 comments

Projects

None yet

3 participants

@sourcejedi

#2049 currently includes code to fix the bypass at the top of #1705, "xss_clean() doesn't."

I maintain that both the xss_clean() API and implementation (let alone the docs) are completely broken and must be removed, as described in #1705.

Here's the next bypass, if anyone is interested:

<a <!-- href="j&#x61;vascript:&#x61;lert&#x28;31337&#x29;;">Hello</a>
@narfbg
Collaborator
narfbg commented Dec 17, 2012

I agree - the whole design of xss_clean() doesn't allow it to be effective. However, I'm not that familiar with it either, so the most I can do is to wait for a proper alternative to become available in a pull request (at the very least, I don't think that EllisLab would be happy to have xss_clean() removed without another solution).

On a side note - I assume that you're opening new issues in order to gain more attention, but that's not really helping. Please just add further info as a comment on #1705 - it's really hard to follow otherwise, and the issue titles aren't really that descriptive anyway.

@sourcejedi

Yes, it was partly to make a point. It does mean there's something to refer to individual problems, if that's how the active developers wished to treat them. (And to give Brian credit for patching :).

If you're happy consider #1705 as a general issue which wants a general fix, that's fine. I don't know that it'll make it much easier to track, but I certainly don't wish to spam you without permission.

@narfbg
Collaborator
narfbg commented Dec 17, 2012

It's just that xss_clean() doesn't really doesn't say anything other than "this is related to xss_clean()". We have to click on those issues in order to see what they actually are and it's not like everybody's excited to do that - it seems to be just us two at this point.
If it's nicely formatted - it would be way more useful in one place. :)

@ariven
ariven commented Dec 17, 2012

Three of us.. ;)

I think that a blacklist based method will always be further behind the curve than a whitelist method. I feel that xss_clean() can be redone using a tested (and open source) whitelist method like html purifier (http://htmlpurifier.org/comparison).

@narfbg narfbg closed this Dec 18, 2012
@mwhitneysdsu mwhitneysdsu referenced this issue in ci-bonfire/Bonfire Jan 22, 2014
Closed

Adding functions to BF_Model #977

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment