developer.jelix.org is not used any more and exists only for history. Post new tickets on the Github account.
developer.jelix.org n'est plus utilisée, et existe uniquement pour son historique. Postez les nouveaux tickets sur le compte github.

Opened 11 years ago

Closed 11 years ago

#994 closed bug (fixed)

jFilter::cleanAttr must check on a white list instead of black list

Reported by: laurentj Owned by: laurentj
Priority: high Milestone: Jelix 1.1.4
Component: jelix:utils Version: 1.1.3
Severity: critical Keywords: security
Cc: Blocked By:
Blocking: Documentation needed: no
Hosting Provider: Php version:

Description (last modified by laurentj)

It is much better to verify that a protocol of a URL is belonging to a list of good protocols than a list of forbidden protocols, because we don't know the list of protocols that a browser support, and it may support an unsecure protocol.

Change History (3)

comment:1 Changed 11 years ago by laurentj

  • Description modified (diff)

comment:2 Changed 11 years ago by laurentj

  • Milestone changed from Jelix 1.0.11 to Jelix 1.1.4
  • Version changed from 1.0.10 to 1.1.3
Note: See TracTickets for help on using tickets.