-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How does the filter sanitize the malicious contents from the user? #7
Comments
Well the answer as you might suspect, is that it does not currently check the content that is passed into the filter strings. I am pretty sure thats a red flag. I will add that to the roadmap. |
David, I spent a bit of time looking at this. I had planned to put each of the variable inputs to the filter via a sanitizing function i.e. clean_param($input,PARAM_TEXT) . But I realized that since Generico is only available to users via the editor, malicious content should already be already sanitized by the editor or the plugin containing it. I was unable to get anything bad through the filter and out the other end when I tested. My malicious script dev. skills may not be up to scratch, but I think its ok |
What if I set textarea as my preferred editor and type the Generico syntax manually (including the malicious contents). Also note, the content is not generally cleaned on input. |
Sorry I haven't looked into the actual code. I am just wondering what protection layers are there to prevent from various malicious attacks via the filter. Such as injecting JavaScript into the placeholders that are then used to generate the actual HTML code.
I am thinking about some advanced variant of things like this
As filters' output is implicitly trusted, filters themselves are responsible for cleaning the user input in situations like this.
Thanks in advance for the info.
The text was updated successfully, but these errors were encountered: