Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: output_filter has no default value #465

Closed
andyyyy opened this issue Sep 9, 2011 · 3 comments
Closed

security: output_filter has no default value #465

andyyyy opened this issue Sep 9, 2011 · 3 comments
Assignees
@dhrrgn
Labels
Bug
Milestone
v1.1-final

Comments

@andyyyy
Copy link

andyyyy commented Sep 9, 2011

In 1.0.1 there was no setting security.output_filter, yet the output was filtered with htmlentities by default. When migrating to 1.1/develop user has to specify this setting in app/config/config.php or the output will not be filtered.

This is not what user would expect and leads to possible security vulnerabilities. I suggest setting security.output_filter to array('Security::htmlentities') if it is not explicitly set in app/config/config.php,
@ghost ghost assigned dhrrgn Sep 9, 2011
@WanWizard
Copy link
Member

@dhorrigan, @jschreuder: build this in, throw an exception (i.e. make the setting required), or just document it?

I would like to close this before thursday.

@jschreuder
Copy link
Contributor

I agree with defaulting to Security::htmlentities() when it's not set

@WanWizard
Copy link
Member

Ok, I'll pick this one up tonight...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dhrrgn dhrrgn

Labels
Bug
Projects
None yet
Milestone
v1.1-final
Development

No branches or pull requests
4 participants
@jschreuder @dhrrgn @WanWizard @andyyyy