Sanitation of input

[webvent2022]

What is being used to sanitize the input? I am using Purify site wide. Was thinking of incorporating this. What can you tell me about the sanitization of the input?

[Riari]

There are three aspects to making user input secure in this package:

• Input validation. Fields are validated as strings, numeric, etc as appropriate using Laravel's built-in validator.
• Prepared statements. Insert queries (at least the ones involving string fields) are done via Eloquent and benefit from built-in protections.
• Output encoding. By default, category titles, category descriptions, and thread titles are output using the {{ }} Blade syntax, which passes the content through e. Post content goes through the Forum::render utility method, which goes through the same encoding function but preserves line breaks with nl2br.

I don't know what Purify is, but there's no need to use it here. If you want to allow a subset of HTML in user posts then it may be useful for that (in which case you'll need to override the Forum::render method by extending TeamTeaTime\Forum\Support\Web\Forum and overriding the forum.web.utility_class config value).

[webvent2022]

thank you Sir... will look into the markup saving.

On Sun, Jun 26, 2022 at 12:49 PM Rick Mann @.***> wrote:

There are three aspects to making user input secure in this package:

• Input validation. Fields are validated as strings, numeric, etc as appropriate using Laravel's built-in validator.
• Prepared statements. Insert queries (at least the ones involving string fields) are done via Eloquent and benefit from built-in protections.
• Output encoding. By default, category titles, category descriptions, and thread titles are output using the {{ }} Blade syntax, which passes the content through e https://laravel.com/docs/9.x/helpers#method-e. Post content goes through the Forum::render utility method, which goes through the same encoding function but preserves line breaks with nl2br.

I don't know what Purify is, but there's no need to use it here. If you want to allow a subset of HTML in user posts then it may be useful for that (in which case you'll need to override the Forum::render method by extending TeamTeaTime\Forum\Support\Web\Forum and overriding the forum.web.utility_class config value).

— Reply to this email directly, view it on GitHub https://github.com/Team-Tea-Time/laravel-forum/issues/310#issuecomment-1166585340, or unsubscribe https://github.com/notifications/unsubscribe-auth/AYUN7VLLEQAUWS5GM5CJ3SLVRCCZFANCNFSM5ZY56IAA . You are receiving this because you authored the thread.Message ID: @.***>