I agree we can't rely on user data. There is already a light "HTMLpurifier" into dolibarr (it is not based on external lib, but included into core code of Dolibarr, lighter than HTMLpurifier but really really faster).
However, i am not sure we must rely on such tools. They filters string we don't want to filter and forgot other. It is better to rely on good practice that are escaping string wherever we should escape string. This is escaping and sanitizing function we MUST use everywhere and is the only full secure solution (the internal dolibarr purifier is only to complete, but can't be reliable): For js: dol_escape_js For sql: $db->escape For html: dol_escape_htmltag or dol_html_entities 2014-09-15 16:26 GMT+02:00 [Kreiz IT]Cédric GROSS <c.gr...@kreiz-it.fr>: > Hello there, > > > > I had a look on http://htmlpurifier.org. This library clean up var against > wished HTML tag. > > I think including this library in Dolibarr could greatly improve security > especially for fields where fckeditor used. > > > > What do you think ? > > > > Cedric > > > > > _______________________________________________ > Dolibarr-dev mailing list > Dolibarr-dev@nongnu.org > https://lists.nongnu.org/mailman/listinfo/dolibarr-dev > -- Laurent Destailleur (alias Eldy) ------------------------------------------------------------------------------------ Social networks of my OpenSource projects: Dolibarr Google+: https://plus.google.com/+DolibarrOrg/ Dolibarr Facebook: https://www.facebook.com/dolibarr Dolibarr Twitter: http://www.twitter.com/dolibarr AWStats Google+: https://plus.google.com/+AWStatsOrgPoject/ AWStats Facebook: https://www.facebook.com/awstats.org AWStats Twitter: http://www.twitter.com/awstats_project _______________________________________________ Dolibarr-dev mailing list Dolibarr-dev@nongnu.org https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
