Ok so I turned on escaping strategy and used in show users comments function htmlspecialchars_decode() to show their links. I also used javascript - user must confirm delete action, so now <IMG src="/profil/users/notaccept/22"> doesn't work. But is it a good solution to CSRF attacks ?
On 11 Kwi, 10:50, Alexandru-Emil Lupu <[email protected]> wrote: > Hi! > You might want to implement a liking system for "unaccepting" friends: > like: > <a href="/profil/users/notaccept/22"><IMG src="/profil/users/*images* > /notaccept/22"></a> > and also a javascript confirmation ... > also .. .it would be a good ideea that system to use unique friends id ... > and also ... unacceping friend may be done via ajax using post. > and also ... try disable htmlentites and use a BB code or Wiki syntax ... > would be better.. and painless against user input ... > Alecs > > On Sat, Apr 11, 2009 at 10:47 AM, dziobacz <[email protected]> wrote: > > > But I would like to make that users can add links so in settings.yml I > > have made escaping_strategy: false. > > User with id=1 adds comment: > > <IMG src="/profil/users/notaccept/22"> > > User with id=5 goes to page with <IMG src="/profil/users/notaccept/ > > 22"> and it deletes from database his friend with id=22 :( > > My application isn't safe :( !! What can I do ? :(((( > > > On 11 Kwi, 08:38, "[email protected]" > > <[email protected]> wrote: > > > I think you misunderstood the concept behind it. > > > CSRFProtection is used in forms, not in simple links. > > > > Michael > > > > On 10 Apr., 15:40, dziobacz <[email protected]> wrote: > > > > > I have read about csrf protection but I still don't understand > > > > everything. > > > > > I have in settings.yml: > > > > csrf_secret: secret12 > > > > > I have something like that in template: > > > > User A adds user B to fiends. User B can accept it - then I have link: > > > > <a href="/profile/users/accept/<?php echo $z->getId() ?>" >accept</a> > > > > or not accept it - then link: > > > > <a href="/profile/users/notaccept/<?php echo $z->getId() ?>" >not > > > > accept</a> > > > > > Then I in file actions.class.php take id like that: > > > > $id = (int)$request->getParameter('accept'); > > > > $id = (int)$request->getParameter('notaccept'); > > > > > and add or delete row to/from database. Should I in both cases write: > > > > $request->checkCSRFProtection() ?? > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
