Ian,
Yes, good idea. The standard html input filtering instead of
htmlescaping would be fine too, as you really want to remove standard
XSS like script tags. No need to have white/blacklist settings. The
standard "bad-list" is fine, as scripts can go into the head section
of page.
So that would be just replacing the call to escape to the call to the
html-input-sanitization.
Amy,
Thanks for your "2 cents".
I replied also to your forum post, so won't repeat it here, except by
linking to my reply there:
http://forum.joomla.org/viewtopic.php?f=473&t=428193&p=1810018#p1810018
To get back to the backwards-compatibility issue here (feel free to
start another topic for web-security in general):
Basic problem is that the database content for names should be clean
text-only thanks to input filtering, as assumed by components,
plugins, modules and so on.
Ok, that seems wasn't done properly in previous joomla releases.
Now how and where to fix it ? :
1) in database at upgrade ?
2) at read-out of database only for joomla's internal uses ?
3) or at very end in the chain as done now for content author names ?
Obviously, only 1) will sanitize properly, and protect all extensions
which assumed database to be a safe source, properly input-sanitized,
like joomla supposed too until now....
2) and 3) won't cure the multiple issues in components, modules, and
plugins still assuming database to have been properly input-filtered.
Now I'm only suggesting to move from solution 3) to 1) or at least to
2) in order to fix this backwards-incompatibility.
Of course, I'm open to better solutions too, but didn't see a better
one yet (see my forum post for details), except Ian's which is fine
too to cure the bug of current fix at level "3)".
With Respect and Best Regards,
Beat
http://www.joomlapolis.com/