Closed webvent2022 closed 2 years ago
There are three aspects to making user input secure in this package:
{{ }}
Blade syntax, which passes the content through e. Post content goes through the Forum::render
utility method, which goes through the same encoding function but preserves line breaks with nl2br
.I don't know what Purify is, but there's no need to use it here. If you want to allow a subset of HTML in user posts then it may be useful for that (in which case you'll need to override the Forum::render
method by extending TeamTeaTime\Forum\Support\Web\Forum
and overriding the forum.web.utility_class
config value).
thank you Sir... will look into the markup saving.
On Sun, Jun 26, 2022 at 12:49 PM Rick Mann @.***> wrote:
There are three aspects to making user input secure in this package:
- Input validation. Fields are validated as strings, numeric, etc as appropriate using Laravel's built-in validator.
- Prepared statements. Insert queries (at least the ones involving string fields) are done via Eloquent and benefit from built-in protections.
- Output encoding. By default, category titles, category descriptions, and thread titles are output using the {{ }} Blade syntax, which passes the content through e https://laravel.com/docs/9.x/helpers#method-e. Post content goes through the Forum::render utility method, which goes through the same encoding function but preserves line breaks with nl2br.
I don't know what Purify is, but there's no need to use it here. If you want to allow a subset of HTML in user posts then it may be useful for that (in which case you'll need to override the Forum::render method by extending TeamTeaTime\Forum\Support\Web\Forum and overriding the forum.web.utility_class config value).
— Reply to this email directly, view it on GitHub https://github.com/Team-Tea-Time/laravel-forum/issues/310#issuecomment-1166585340, or unsubscribe https://github.com/notifications/unsubscribe-auth/AYUN7VLLEQAUWS5GM5CJ3SLVRCCZFANCNFSM5ZY56IAA . You are receiving this because you authored the thread.Message ID: @.***>
What is being used to sanitize the input? I am using Purify site wide. Was thinking of incorporating this. What can you tell me about the sanitization of the input?