Question: Any easy way to turn off sanitation? #345

Open
BernhardPosselt opened this Issue Feb 1, 2014 · 8 comments

Projects

None yet

4 participants

@BernhardPosselt
Contributor

Since Simple Pies sanitation is vulnerable to XSS I use http://htmlpurifier.org/

Is there any easy way to turn off sanitation for simple pie since the internal solution runs anways?

@mblaney
Member
mblaney commented Feb 10, 2014

I had a look at this last week and sanitation looks pretty baked in to me. Then today I noticed the "set_stupidly_fast" option says that it skips some of that process, so may do what you want?

Anyway as you can see this project is pretty quiet... if you guys have any plans to work on it let me know as I would be keen.

@BernhardPosselt
Contributor

iirc set_stupidly_fast just sets some other options and disregards some things. I dont think this applies to sanitation. As for maintaining the lib, it feels kinda dead yeah but it will be a lot of work. I mean look at the issue list ;D and the registry pattern is horribly bad, essentially creates one global config which can not be changed for multiple instances.

cc @cosenal

@mblaney
Member
mblaney commented Feb 10, 2014

I was reading the documentation and noticed set_stupidly_fast said "Forgoes a substantial amount of data sanitization in favor of speed"... didn't look into it further than that.

I'm using SimplePie in a project that I'm working on and use every day..... so even though there's a lot to do I'm stuck with it as is, or as I find the time to work on it. I've got patches that I'm using that I haven't done anything with because nothing gets merged. :-)

@ifsnop
Contributor
ifsnop commented Feb 10, 2014

I am also using SimplePie on a daily basis in some projects. I've submitted patches, and tried to contact some of the developers also with no luck. Maybe the project isn't dead, but neither it is alive. Because of that, I have forked and applied whatever I've found useful or though that will work.

Please, make some PR with your code changes so I anoyone can apply them locally. At least I will try to merge them up.

@mblaney
Member
mblaney commented Feb 11, 2014

Hi Diego,

Thanks for the update. Sorry I just sent you a pull request but you probably only want my latest commit. I'll try and catch up with some of the other changes like you've done.

@rmccue
Member
rmccue commented Feb 11, 2014

Sorry for not keeping on top of the issues!

SimplePie includes barebones sanitisation for people who need it, but it's not perfect. If you want to use HTMLPurifier with it (which I strongly recommend), $sp->set_stupidly_fast(true) is the correct way to do that, albeit badly named.

I'm using SimplePie in a project that I'm working on and use every day..... so even though there's a lot to do I'm stuck with it as is, or as I find the time to work on it. I've got patches that I'm using that I haven't done anything with because nothing gets merged. :-)

I'd love to get those patches from you :) I'm planning on taking a day off to go over SimplePie patches and try and work up another release.

@mblaney
Member
mblaney commented Feb 11, 2014

I've added another change I've been using to my repository. Can you tell me how you're adding other people's commits to your repository?

@mblaney
Member
mblaney commented Feb 11, 2014

Hi Ryan,

That's great to hear! I'll add a pull request for the latest change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment