Hi Peter, Are you talking about 1.8 or 2.0? I think both lack a complete HTML validation, but at least 1.8 had a considerable filtering effort at some point. The ampersand thing always got me questioning about if it was really necessary. You seem to say it is, so I'll update that in our code conventions. Any *easy* reference to explain the problem? (the OWASP reference is about XSS in particular, not just the ampersand).
Found this in French (or is it automatic translation?): http://www.htmlhelp.com/tools/validator/problems.html#amp YannickE l jue, 27-01-2011 a las 17:12 +0100, Peter Bex escribió: > Hello everyone, > > I was attempting to debug an issue with IE8 (not solved yet) when I > noticed that the HTML generated by Chamilo is completely invalid. > > The worst offenders are unescaped ampersands in hyperlinks, but also > missing alt attributes on images. > > I went through the code and made it so that the proper things are at > least escaped. I did this only for the front page yet. > See changeset dc64e2ebbb. As you can see, there are a lot of places > where this wasn't thought of. Almost everywhere you find a link to > some other page in Chamilo this is missing. > > The fact that characters which have a meaning in html are not escaped > has me rather worried. Aside from the fact that this can create many > problems with the browser interpreting the HTML in a wrong way resulting > in hard-to-reproduce rendering glitches (because each browser does it > differently), it is also a potential security risk. In fact, it ranked > number 2 on last year's OWASP Top 10 of application security risks: > http://www.owasp.org/index.php/Top_10_2010-Main > > I noticed the classes that generate tables from record sets contain > some calls to "Security::Remove_XSS", which seems to me a good way > to get rid of most of the security-related problems, at least for tables, > but it doesn't really solve the HTML validity issue. Are there any plans > to solve this problem in a more structural way in other parts of the code? > > Cheers, > Peter Bex > Solide ICT - http://www.solide-ict.nl > > _______________________________________________ > Dev mailing list > Dev@lists.chamilo.org > http://lists.chamilo.org/listinfo/dev _______________________________________________ Dev mailing list Dev@lists.chamilo.org http://lists.chamilo.org/listinfo/dev
