Hello everyone, I was attempting to debug an issue with IE8 (not solved yet) when I noticed that the HTML generated by Chamilo is completely invalid.
The worst offenders are unescaped ampersands in hyperlinks, but also missing alt attributes on images. I went through the code and made it so that the proper things are at least escaped. I did this only for the front page yet. See changeset dc64e2ebbb. As you can see, there are a lot of places where this wasn't thought of. Almost everywhere you find a link to some other page in Chamilo this is missing. The fact that characters which have a meaning in html are not escaped has me rather worried. Aside from the fact that this can create many problems with the browser interpreting the HTML in a wrong way resulting in hard-to-reproduce rendering glitches (because each browser does it differently), it is also a potential security risk. In fact, it ranked number 2 on last year's OWASP Top 10 of application security risks: http://www.owasp.org/index.php/Top_10_2010-Main I noticed the classes that generate tables from record sets contain some calls to "Security::Remove_XSS", which seems to me a good way to get rid of most of the security-related problems, at least for tables, but it doesn't really solve the HTML validity issue. Are there any plans to solve this problem in a more structural way in other parts of the code? Cheers, Peter Bex Solide ICT - http://www.solide-ict.nl _______________________________________________ Dev mailing list Dev@lists.chamilo.org http://lists.chamilo.org/listinfo/dev
