[Bb-trac] Re: [bbPress] #874: strip_tags should be replaced with an
enhanced anti-xss function
bbPress
bb-trac at lists.bbpress.org
Wed Apr 30 22:04:22 GMT 2008
#874: strip_tags should be replaced with an enhanced anti-xss function
-------------------------+--------------------------------------------------
Reporter: _ck_ | Owner:
Type: enhancement | Status: closed
Priority: low | Milestone: 1.0-beta & XML-RPC
Component: Back-end | Version:
Severity: minor | Resolution: invalid
Keywords: |
-------------------------+--------------------------------------------------
Changes (by mdawaffe):
* status: new => closed
* resolution: => invalid
Comment:
bbPress (and WordPress) does far more than {{{strip_tags()}}} when
printing out data to the screen.
All textareas should be treated with {{{wp_specialchars()}}} and all HTML
attributes (such as input values) should be treated with
{{{attribute_escape()}}} or {{{clean_url()}}} (or {{{bb_fix_url()}}}) as
appropriate.
Stricter sanitation is sometimes used (limiting a string to only a-z0-9-,
casting a numeric value to (int), etc), but those are the baselines.
User input that is *meant* to be interpreted as HTML (such as the contents
of a new post) is filtered through {{{bb_encode_bad()}}} which uses a
combination of {{{wp_specialchars()}}} to block non-allowed HTML tags and
kses to block non-allowed HTML attributes.
If you see places where data is not properly escaped, or if there are
problems with the current filters, please open specific tickets.
--
Ticket URL: <http://trac.bbpress.org/ticket/874#comment:1>
bbPress <http://bbpress.org/>
Innovative forum development
More information about the Bb-trac
mailing list