How does the filter sanitize the malicious contents from the user?

[mudrd8mz]

Sorry I haven't looked into the actual code. I am just wondering what protection layers are there to prevent from various malicious attacks via the filter. Such as injecting JavaScript into the placeholders that are then used to generate the actual HTML code.

I am thinking about some advanced variant of things like this

{GENERICO:type="Button-Maker",style="btn-primary",url="' onlick="alert('XSS!'); href='",target="_blank"}

As filters' output is implicitly trusted, filters themselves are responsible for cleaning the user input in situations like this.

Thanks in advance for the info.

[justinhunt]

Well the answer as you might suspect, is that it does not currently check the content that is passed into the filter strings. I am pretty sure thats a red flag. I will add that to the roadmap.

[justinhunt]

David, I spent a bit of time looking at this. I had planned to put each of the variable inputs to the filter via a sanitizing function i.e. clean_param($input,PARAM_TEXT) . But I realized that since Generico is only available to users via the editor, malicious content should already be already sanitized by the editor or the plugin containing it.

I was unable to get anything bad through the filter and out the other end when I tested. My malicious script dev. skills may not be up to scratch, but I think its ok

[mudrd8mz]

Generico is only available to users via the editor

What if I set textarea as my preferred editor and type the Generico syntax manually (including the malicious contents). Also note, the content is not generally cleaned on input.