[Rejected] Sanitizing User Profiles
#2
(2018-04-26, 06:13 PM)labrocca Wrote: But can it be explained before I do why it was removed, was it intentional?

Escaping values more than once would result in the HTML entities (that cause the original characters to be displayed without having an effect on the HTML structure) being broken down further, producing corrupted text.

Escaping on output is better because:
  • the original content is kept intact making it easier to interpret or convert data (e.g. if someone decided to allow specific HTML tags),
  • there are fewer points of failure (otherwise e.g. we'd need to make sure it's escaped properly in the ACP, Mod CP, and frontend for save & edit actions + plugins),
  • the filtering works for all past & future content immediately after it's implemented,
  • the application is protected regardless of how the data was saved or modified (limited access to the database, perhaps as a result of unrelated vulnerability, shouldn't mean the XSS protection can be also bypassed).
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply


Messages In This Thread
Sanitizing User Profiles - by labrocca - 2018-04-26, 06:13 PM
RE: Sanitizing User Profiles - by Devilshakerz - 2018-04-26, 07:40 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-26, 08:21 PM
RE: Sanitizing User Profiles - by Euan T - 2018-04-26, 09:42 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-26, 10:20 PM
RE: Sanitizing User Profiles - by frostschutz - 2018-04-26, 11:01 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-27, 05:54 PM
RE: Sanitizing User Profiles - by frostschutz - 2018-04-27, 07:48 PM
RE: Sanitizing User Profiles - by Euan T - 2018-04-27, 06:52 PM
RE: Sanitizing User Profiles - by Devilshakerz - 2018-04-27, 08:12 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-27, 08:23 PM
RE: Sanitizing User Profiles - by Omar G. - 2018-04-28, 06:44 AM
RE: Sanitizing User Profiles - by labrocca - 2018-04-28, 02:41 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)