Re: HTML not escaped in baked views - is this a bug?

[Mark (Germany)]

i agree
already did this with all my view templates


i even tried to exclude the "id" and "foreign_id" fields (as they are
keys and therefore no threats:


                foreach ($fields as $field) {
                        $isKey = false;
                        if(!empty($associations['belongsTo'])) {
                                foreach ($associations['belongsTo'] as $alias 
=> $details) {
                                        if($field === $details['foreignKey']) {
                                                $isKey = true;
                                                echo "\t\t<td>\n\t\t\t<?php 
echo \$html->link(\${$singularVar}
['{$alias}']['{$details['displayField']}'], array('controller'=>
'{$details['controller']}', 'action'=>'view', \${$singularVar}
['{$alias}']['{$details['primaryKey']}'])); ?>\n\t\t</td>\n";
                                                break;
                                        }
                                }
                        }
                        if($isKey !== true) {
                                /** CORE-EDIT (protection against js injection 
by using h()
function)**/
                                $h_b = "h(";
                                $h_e = ")";
                                if ($field=='id' || (strlen($field) > 3 && 
substr($field, -3, 3)
=='_id')) {
                                        $h_b = "";
                                        $h_e = "";
                                }

                                echo "\t\t<td>\n\t\t\t<?php echo 
$h_b\${$singularVar}
['{$modelClass}']['{$field}']$h_e; ?>\n\t\t</td>\n";
                                /** CORE-EDIT end **/
                        }
                }
TODO: exclude primaryKeys if they are called other than "id"




maybe there is a nicer cleaner way - but it works^^




On 18 Feb., 16:58, mark_story <mark.st...@gmail.com> wrote:
> Well you can make your own bake templates, and include html escaping
> there.  The assumption is that you will 'harden' your app after
> baking. I could see it being an enhancement.  But like I said you can
> make your own hardened bake files.
>
> -Mark
>
> On Feb 18, 9:37 am, Jonathan <jst...@image.dk> wrote:
>
> > Hi,
>
> > If you use the console to bake views like index.ctp and view.ctp, data
> > is echo'ed directly like:
> >   <?php echo $user['Model']['field']; ?>
>
> > - I think that all output should by default be HTML-escaped to avoid
> > security flaws, so the baked code should rather be something like:
> >   <?php echo h($user['Model']['field']); ?>
>
> > What are your opinions - should this be considered a bug?
>
> >   Regards
>
> >     Jonathan
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---