PEAK XOOPS - Re: TinyEditor and My Album 2.84 
TOP
>
Forum
>
XOOPS Modules
>
myAlbum-P
>
TinyEditor and My Album 2.84
>
Re: TinyEditor and My Album 2.84
Re: TinyEditor and My Album 2.84
Re: TinyEditor and My Album 2.84
msg# 1.1.1.2
- depth:
- 3
GIJOE
Posts: 4110
Posts: 4110
Quote:I just means WYSIWYG editors make non-sense for myAlbum-P.
myAlbum-P is a module can be posted by untrusted users usually.
Thus, I disable HTML for the module.
It is just an issue of designing.
Quote:Client-side sanitizing?
It is really non-sense
Do you know the difference between "Script Insertion"(or HTML Injection) and "XSS" ?
"Allowing HTML" invites "Script Insertion" instead of "XSS".
Only server-side checking can stop malicious POSTs.
And perhaps "sanitizing HTML" at server-side make non-sense too.
Only "rebuilding HTML" at server-side protects sites from ScriptInsertion.
I've written the fact in this site long ago.
Quote:I cannot agree with it.
Because myAlbum-P is a module can be posted by untrusted users usually.
The BIG FAT warning makes non-sense for almost site owners.
Thus I always answer "Hack it by yourself with your responsibility" to anybody.
Quote:I cannot understand it.
What's the evil?
<b>b</b> is escaped as <b>b</b> for HTML browser.
It's quite natural.
frankblack wrotes:
Quote:Thus, any WYSIWYG editors work non-sense.
? What do you mean? Every WYSIWYG editor IS non-sense or PRODUCES non-sense?
myAlbum-P is a module can be posted by untrusted users usually.
Thus, I disable HTML for the module.
It is just an issue of designing.
Quote:
As for tinyeditor (or tinyMCE) WYSIWYG is a BIT safer, since this editor uses his own sanitizer. I DO know that client-side sanitizing is not the best thing to rely on, but it is a start. Maybe there should be another server-side sanitizer checking the HTML code again.
It is really non-sense
Do you know the difference between "Script Insertion"(or HTML Injection) and "XSS" ?
"Allowing HTML" invites "Script Insertion" instead of "XSS".
Only server-side checking can stop malicious POSTs.
And perhaps "sanitizing HTML" at server-side make non-sense too.
Only "rebuilding HTML" at server-side protects sites from ScriptInsertion.
I've written the fact in this site long ago.
Quote:
Maybe it would be a good option to let the user of your modules decide if they want to use WYSIWYG? Make a BIG FAT warning and you are out of responsibility.
Because myAlbum-P is a module can be posted by untrusted users usually.
The BIG FAT warning makes non-sense for almost site owners.
Thus I always answer "Hack it by yourself with your responsibility" to anybody.
Quote:
Just a thought, as I know thatis already evil.<b>b</b>
What's the evil?
<b>b</b> is escaped as <b>b</b> for HTML browser.
It's quite natural.
Votes:3
Average:6.67
Posts tree
-
TinyEditor and My Album 2.84
(TopKnot, 2007/2/12 7:34)
-
Re: TinyEditor and My Album 2.84
(GIJOE, 2007/2/13 4:12)
-
Re: TinyEditor and My Album 2.84
(frankblack, 2007/2/13 4:39)
-
Re: TinyEditor and My Album 2.84
(TopKnot, 2007/2/13 8:18)
-
Re: TinyEditor and My Album 2.84
(GIJOE, 2007/2/14 4:15)
-
-
Re: TinyEditor and My Album 2.84
(GIJOE, 2007/2/14 4:03)
-
Re: TinyEditor and My Album 2.84
(frankblack, 2007/2/14 7:09)
-
Re: TinyEditor and My Album 2.84
(GIJOE, 2007/2/15 3:10)
-
Re: TinyEditor and My Album 2.84
(yosha_01, 2007/7/31 2:50)
-
Re: TinyEditor and My Album 2.84
(GIJOE, 2007/8/10 6:17)
-
Re: TinyEditor and My Album 2.84
(yosha_01, 2007/8/12 8:14)
-
-
-
-
-
-
-
-
Re: TinyEditor and My Album 2.84
(jayjay, 2008/6/19 21:54)
-
Login