Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Better XSS protection #1056

Merged
merged 3 commits into from

3 participants

@rjmackay
Owner
  • Add HTMLPurifier library (LGPL)
  • Add helper functions to html helper
  • Set default encoding header to UTF-8
  • Make sure the doctype is the same everywhere (admin/members/frontend)
  • Remove use of strip_tags() and htmlspecialchars()
  • Replace vanilla htmlentities with html::escape() - make sure no one forgets the UTF-8
  • Remove _csv_text() fn - no longer used and was using strip_tags()

Feedback appreciated.

Particularly around the range of allowed tags, current: "a[href|title],p,img[src|alt],br,b,u,strong,em,i" and iframes from trusted sources: youtube, vimeo, soundcloud

Other iframes we should allow? Other tags we should allow?

Also on names of helper fns:
html::escape()
html::clean()
html::strip_tags()

rjmackay added some commits
@rjmackay rjmackay Better XSS protection
* Add HTMLPurifier library (LGPL)
* Add helper functions to html helper
* Set default encoding header to UTF-8
* Make sure the doctype is the same everywhere (admin/members/frontend)
* Remove use of strip_tags() and htmlspecialchars()
* Replace vanilla htmlentities with html::escape() - make sure no one forgets the UTF-8
* Remove _csv_text() fn - no longer used and was using strip_tags()
593719f
@rjmackay rjmackay html::clean() : Make allowed tags and iframes configurable 93c4ca2
@rjmackay
Owner

Related to #511 and #536
Updated to make allowed tags and iframe urls configurable - however still need to make sure the defaults are good.

@rjmackay rjmackay referenced this pull request
Closed

Exploitable XSS #1009

@rjmackay
Owner

thinking about this a little more still need to add a note in the UI with a list of allowed tags..

ping @kamaulynder can you review this?

@heatherleson

Maybe share this with our security working group?

@rjmackay
Owner

Updated to add UI about what is allowed
Screen Shot 2013-04-16 at 10 20 53 AM

@kamaulynder
Owner

For any other tags or iframes, these can be added when needed. Otherwise, it looks good.

@rjmackay rjmackay merged commit 6d7cc9d into ushahidi:develop
@rjmackay rjmackay deleted the rjmackay:html-purifier-xss-protect branch
@rjmackay rjmackay referenced this pull request from a commit in rjmackay/Ushahidi_Web
@rjmackay rjmackay Fix double escaping and missing library after merge of #1056 af44b11
@rjmackay rjmackay referenced this pull request from a commit
@rjmackay rjmackay Set default values for allowed html and iframesi #1056
This avoids errors if upgraders don't update config.php

Conflicts:

	application/hooks/2_settings.php
e870d1e
@rjmackay rjmackay referenced this pull request from a commit in rjmackay/Ushahidi_Web
@rjmackay rjmackay Set default values for allowed html and iframesi #1056
This avoids errors if upgraders don't update config.php
98fbd84
@rjmackay rjmackay referenced this pull request from a commit in rjmackay/Ushahidi_Web
@rjmackay rjmackay Fix double escaping and missing library after merge of #1056
Conflicts:

	themes/default/views/reports/list.php
e9d6600
@rjmackay rjmackay referenced this pull request from a commit in rjmackay/Ushahidi_Web
@rjmackay rjmackay Set default values for allowed html and iframesi #1056
This avoids errors if upgraders don't update config.php
f44c113
@rjmackay rjmackay referenced this pull request from a commit in rjmackay/Ushahidi_Web
@rjmackay rjmackay Fix double escaping and missing library after merge of #1056
Conflicts:

	themes/default/views/reports/list.php
ed366e5
@rjmackay rjmackay referenced this pull request from a commit in rjmackay/Ushahidi_Web
@rjmackay rjmackay Set default values for allowed html and iframesi #1056
This avoids errors if upgraders don't update config.php
4f763b9
@rjmackay rjmackay referenced this pull request from a commit
@rjmackay rjmackay Set default values for allowed html and iframesi #1056
This avoids errors if upgraders don't update config.php

Conflicts:

	application/i18n
3b3a07d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Apr 9, 2013
  1. @rjmackay

    Better XSS protection

    rjmackay authored
    * Add HTMLPurifier library (LGPL)
    * Add helper functions to html helper
    * Set default encoding header to UTF-8
    * Make sure the doctype is the same everywhere (admin/members/frontend)
    * Remove use of strip_tags() and htmlspecialchars()
    * Replace vanilla htmlentities with html::escape() - make sure no one forgets the UTF-8
    * Remove _csv_text() fn - no longer used and was using strip_tags()
  2. @rjmackay
Commits on Apr 15, 2013
  1. @rjmackay
Something went wrong with that request. Please try again.