[security] Escape expression inputs for the case of PHP-proxies (foreign or domestic) using the extract variable #3
Comments
|
GDOv7 is not really planned as a multi-user system, but it should and (?:could)* be? +asap Thanks for this! |
|
A milestone here is to have two linux user accounts to share the same gdo installation (this is actually a speedup as the pathes are in opcache) Thx for your input!
|
|
One could write a phpgdo-multiuser module that switches configs based on usernames? O.o (brrr) |
|
Escaping should only be done to untrusted user input. For example you can mark GDTs Traiting WithTitle as being ->escaped(). @todo: Automaticall mark GDO having GDT_Title as being escaped. (I bet there are XSS lurking atm) As a user you might want to add plain html. Actually GDOv7 GDT_Message - (user content OUCH!) - is based on a simple <textarea> that allows plain html to style your posts. It uses htmlpurifier to sanitize the user input. There are gdo modules available to change the GDT_Message editor to a wysiwyg editor (currently only some Module_Markdown (without file support atm).
|
Code
All inputs to CLI systems should be escaped for security reasons. Also recommended to add blacklists for CLI functions and/or remove them.
The text was updated successfully, but these errors were encountered: