[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Dolibarr-dev] Security improvement and new library

From: Destailleur Laurent
Subject: Re: [Dolibarr-dev] Security improvement and new library
Date: Fri, 19 Sep 2014 12:54:00 +0200

I agree we can't rely on user data.

There is already a light "HTMLpurifier" into dolibarr (it is not based
on external lib, but included into core code of Dolibarr, lighter than
HTMLpurifier but really really faster).

However, i am not sure we must rely on such tools. They filters string
we don't want to filter and forgot other.
It is better to rely on good practice that are escaping string
wherever we should escape string.

This is escaping and sanitizing function we MUST use everywhere and is
the only full secure solution (the internal dolibarr purifier is only
to complete, but can't be reliable):
For js:  dol_escape_js
For sql:   $db->escape
For html:  dol_escape_htmltag or dol_html_entities

2014-09-15 16:26 GMT+02:00 [Kreiz IT]Cédric GROSS <address@hidden>:
> Hello there,
> I had a look on This library clean up var against
> wished HTML tag.
> I think including this library in Dolibarr could greatly improve security
> especially for fields where fckeditor used.
> What do you think ?
> Cedric
> _______________________________________________
> Dolibarr-dev mailing list
> address@hidden

Laurent Destailleur (alias Eldy)
Social networks of my OpenSource projects:
Dolibarr Google+:
Dolibarr Facebook:
Dolibarr Twitter:
AWStats Google+:
AWStats Facebook:
AWStats Twitter:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]