Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#1519 closed defect (wontfix)

White-List acceptable tags instead of back-list

Reported by: guest Owned by: gogo
Priority: normal Milestone:
Component: Xinha Core Version: trunk
Severity: normal Keywords:
Cc:

Description

Is there a white-list of acceptable HTML tags? – If not this means that the Xinha essentially accepts all tags but rejects those that are inappropriate for example the “script” tag. This leads to no protection against new tags that are released and exploited.

Change History (2)

comment:1 Changed 8 years ago by gogo

  • Resolution set to wontfix
  • Status changed from new to closed

It makes ZERO sense to have a whitelist or blacklist in Xinha itself. The user can submit whatever HTML they want to your server as a form post, they don't need Xinha to do that, putting such "protection" in Xinha would be entirely pointless and trivially cicumventable.

You MUST MUST MUST MUST MUST MUST MUST treat all data sent by untrusted users (and even trusted ones) as suspect, no matter where it comes from, Xinha or "normal" fields, or cookies, or... you MUST santise data you are given!

Xinha can and will not do that for you!

comment:2 Changed 8 years ago by guest

gogo's right. may I suggest you look at HTML Purifier:
http://htmlpurifier.org/

Note: See TracTickets for help on using tickets.