On Fri, Jan 28, 2011 at 09:47:04AM -0500, Yannick Warnier wrote:
> Just to add that the efficiency problems of HTMLPurifier (mostly due to
> a bug at that time in HTMLPurifier itself) found in 1.8.6.2 were removed
> in 1.8.7.
Good to hear this.
> The filtering is done, in many cases, before putting text into
> the database. This is probably a bad philosophical choice, but it
> actually reduces the overhead to filter it once at input time instead of
> an unlimited number of times at output time.
Filtering data before storing it in the database is fine, but
escaping or encoding it in a particular way isn't.
The wiki code I was referring to was doing things like
"INSERT INTO foo (".Remove_XSS(strip_slashes(htmlentities($x))).")";
Maybe a little exaggerated, but the code was really very similar to
this. We submitted a patch for the wiki, but didn't even inspect other
code. This left us with the feeling that security was like this in
other aspects of the code.
> This being said, content directly going to the screen (without passing
> through the database) is filtered (except in the case of one or two
> little security flaws per year). The security awareness of the 1.8 team
> has been raised around two years ago with considerable time spent on
> internal education, and we tend to be very cautious with security
> filtering since then.
Then maybe my initial feeling was unjustified and the wiki was just one
of the aspects of the code that still happened to contain insecure code.
After realising that things have been done badly security-wise, a code
audit is a good idea; this would've caught such mistakes.
> I'm not sure what the state of this actually is in 2.0 but you seem to
> say it's much worst, so somehow I'm worried.
I haven't dug in too deeply yet, but the things I saw were worrying.
That's one of the reasons I sent my mail, to raise awareness and to
test the waters, see what other were thinking.
> But yeah, 1.8 is still around and will probably still be for some time.
> I understand you are focused on 2.0, but try to avoid any possibly
> mis-understandable comment on any version. We are currently two
> different dedicated teams. We don't want to hurt anybody and developers
> get irritated easily by an e-mail commenting on their work of the last 6
> years with a slight meaning that this is insignificant :-)
I'm sorry for the bad choice of words. I didn't mean to offend, I really
*am* so wrapped up with the 2.0 stuff that I forgot to mention that my
message was specifically about 2.0.
Cheers,
Peter Bex
Solide ICT - http://www.solide-ict.nl
_______________________________________________
Dev mailing list
Dev@lists.chamilo.org
http://lists.chamilo.org/listinfo/dev
