oshanrube / owasp-esapi-php

Automatically exported from code.google.com/p/owasp-esapi-php
Other
0 stars 0 forks source link

HTMLValidationRule needs example HTMLPurifier policy and should return errors to the user. #32

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
HTMLValidationRule cannot be considered complete until its getValid and
sanitize methods validate and sanitize based on a properly defined
HTMLPurifier policy - much in the same way as esapi4java uses an AntiSamy
policy.

At the moment HTMLPurifier is instantiated with the default policy
(whatever that may be) with the addition of a small number of custom
directives (one of which is Core.CollectErrors - needed in order to
determine whether there were errors).

In order for HTMLValidationRule to work in the same way as esapi4java,
getValid should return the errors generated by HTMLPurifier so that they
can be returned to the user.  I'm thinking of a use case where a web
application allows users to submit content containing (a subset of) HTML
markup and failed validation should present the user with failed validation
feedback e.g. "Sorry, script tags not allowed". getValid will be required
to accept a ValidationErrorList object to which it will addErrors. see
issue 31.

Original issue reported on code.google.com by jahboite@gmail.com on 26 Mar 2010 at 6:17

GoogleCodeExporter commented 9 years ago
De-allocating all defects to me. 

Original comment by vande...@gmail.com on 14 Jul 2010 at 9:27

GoogleCodeExporter commented 9 years ago
All these issues must be dealt with before 1.0. New issues will be on a case by 
case basis as to whether we hold up 1.0 or not. 

Original comment by vande...@gmail.com on 17 Jun 2011 at 3:36