[Bb-trac] [bbPress] #874: strip_tags should be replaced with an
enhanced anti-xss function
bbPress
bb-trac at lists.bbpress.org
Wed Apr 30 15:34:55 GMT 2008
#874: strip_tags should be replaced with an enhanced anti-xss function
-------------------------+--------------------------------------------------
Reporter: _ck_ | Owner:
Type: enhancement | Status: new
Priority: low | Milestone: 1.0-beta & XML-RPC
Component: Back-end | Version:
Severity: minor | Keywords:
-------------------------+--------------------------------------------------
I've been reading up on how xss attacks are done and I believe that the
simple "strip_tags" that bbPress (and WordPress) uses against INPUT and
TEXTAREA data is not enough in some cases to deal with (purposely)
malformed HTML, including CDATA payloads, which browsers will execute
anyway.
I'm not knowledgeable enough yet to contribute a proper solution yet but I
want to help avoid a headline someday about ten-thousand bbPress sites
defaced. This is one example of a superior solution but far too bulky IMHO
and I hope a lightweight alternative can be devised: http://pixel-
apes.com/safehtml/
--
Ticket URL: <http://trac.bbpress.org/ticket/874>
bbPress <http://bbpress.org/>
Innovative forum development
More information about the Bb-trac
mailing list