[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Dolibarr-dev] Security improvement and new library
From: |
Yannick Warnier |
Subject: |
Re: [Dolibarr-dev] Security improvement and new library |
Date: |
Tue, 16 Sep 2014 00:24:49 +0100 |
User-agent: |
SquirrelMail/1.4.23 [SVN] |
> Hello there,
>
>
>
> I had a look on http://htmlpurifier.org. This library clean up var against
> wished HTML tag.
>
> I think including this library in Dolibarr could greatly improve security
> especially for fields where fckeditor used.
>
I'll second that. I remember when suggesting to filter input in Dolibarr
2, I was answered (at the time) that the users of Dolibarr were generally
reliable and that there was no need for filtering. I hope this has changed
:-)
We use HTMLPurifier in Chamilo LMS, and with very good results, but beware
that it is a *huge* CPU consumer. So much that we actually had to disable
some of its filtering features.
I don't think it would impact much in Dolibarr as the number of
simultaneous users is relatively low, but it's good to know.
Cheers,
Yannick