Closed Marqin closed 8 years ago
htmlspecialchars
is indeed used in some of the templates, but a throughout check would be much welcome indeed.
Also, note that any JS included would not execute on the C++ frontend side, so the target is slightly limited to those that use the html frontend. Unfortunately this includes the moderators, so... :smile:
According to template engine you use, they say they don't do any escape - https://github.com/slimphp/PHP-View/blob/master/README.md
Yeah, we do manual escaping. Maybe exposing a function e(string)
to wrap echo htmlspecialchars(string)
and ease the usage would be good...
name e(string)
may suggest it's something with error
not escape
Yeah better use explicit function names than shady one-letter names :) Something like echo_escaped
or secho
(secure echo) might be better already.
Yeah, makes sense too. Would see what can be done later.
I escaped all templates, I just want to have a better check on some of them, after which I might push it.
I've looked a little at code and I don't see any usage of htmlspecialchars() nor regexps for escaping HTML/JS - does it mean, that every user can put their own JS (including trojan horse, etc.) into asset name/describtion/etc?