Re: svn commit: r718927 - /incubator/shindig/trunk/php/src/social/model/Activity.php

Tue, 25 Nov 2008 07:06:40 -0800 

looks good to me

but i strongly recommend to put a 'disclaimer' saying that additional
sanitization may be needed

ropu

On Thu, Nov 20, 2008 at 6:38 PM, Chris Chabot <[EMAIL PROTECTED]> wrote:

> nope, <a> is a valid tag and hence not removed.
>
> We *could* potentially do a tag + attribute filtering, but that's rather
> more expensive then a simple strip_tags, and might also be container
> specific (the doc don't clarify much on what should and shouldn't be
> stripped anyhow).
>
> So for now i'd be happy to punt it as 'container sanitazion business"
> unless
> anyone has some strong different opinions
>
> On Thu, Nov 20, 2008 at 6:48 PM, Ropu <[EMAIL PROTECTED]> wrote:
>
> > hmm, this patch will also remove
> >  this:
> >
> > <a href="javascript:alert()">
> >
> > ?
> >
> > or that should be a container sanitization business?
> >
> > ropu
> >
> > On Wed, Nov 19, 2008 at 12:32 AM, <[EMAIL PROTECTED]> wrote:
> >
> > > Author: chabotc
> > > Date: Wed Nov 19 02:32:04 2008
> > > New Revision: 718927
> > >
> > > URL: http://svn.apache.org/viewvc?rev=718927&view=rev
> > > Log:
> > > SHINDIG-544 - strip any non-allowed tags
> > >
> > > Modified:
> > >    incubator/shindig/trunk/php/src/social/model/Activity.php
> > >
> > > Modified: incubator/shindig/trunk/php/src/social/model/Activity.php
> > > URL:
> > >
> >
> http://svn.apache.org/viewvc/incubator/shindig/trunk/php/src/social/model/Activity.php?rev=718927&r1=718926&r2=718927&view=diff
> > >
> > >
> >
> ==============================================================================
> > > --- incubator/shindig/trunk/php/src/social/model/Activity.php
> (original)
> > > +++ incubator/shindig/trunk/php/src/social/model/Activity.php Wed Nov
> 19
> > > 02:32:04 2008
> > > @@ -1,4 +1,5 @@
> > >  <?php
> > > +
> > >  /*
> > >  * Licensed to the Apache Software Foundation (ASF) under one
> > >  * or more contributor license agreements. See the NOTICE file
> > > @@ -183,7 +184,7 @@
> > >
> > >        public function setTitle($title)
> > >        {
> > > -               $this->title = $title;
> > > +               $this->title = strip_tags($title,
> > '<b><i><a><span><img>');
> > >        }
> > >
> > >        public function getTitleId()
> > > @@ -215,4 +216,5 @@
> > >        {
> > >                $this->userId = $userId;
> > >        }
> > > +
> > >  }
> > >
> > >
> > >
> >
> >
> > --
> > .-. --- .--. ..-
> > R  o  p  u
> >
>



-- 
.-. --- .--. ..-
R  o  p  u

Reply via email to