Skip to content
This repository has been archived by the owner on Mar 29, 2021. It is now read-only.

added dom escape function #34

Open
hxtree opened this issue May 19, 2020 · 2 comments
Open

added dom escape function #34

hxtree opened this issue May 19, 2020 · 2 comments
Labels
help wanted Extra attention is needed security

Comments

@hxtree
Copy link
Collaborator

hxtree commented May 19, 2020

need a way of escaping user provided data of instantiable tags for security.

This should prevent any instantiantiabled tag from being provided.

e.g. if there is an 'if' module then it should strip if tags.
@hxtree
Copy link
Collaborator Author

hxtree commented Feb 10, 2021

xpath query with process=false as used in Hoopless works to do this, but by opening and closing tags this could be circumnavigated.

@hxtree
Copy link
Collaborator Author

hxtree commented Feb 12, 2021

  • Issue of user provided input containing xpath for undesirable, e.g. putting a header inside the body. It seems like we'd want to whitelist child elements.
$allowed_tags = '<p><b><br>"
addMethod([
 'xpath' => '//comments',
 'striptags' => [true, $allowed_tags]
]);

These later issues seem to be resolvable by ensure DOM structure during processing:

  • Issue with user provided data containing invalid DOM structure, e.g. "Bold". This could cause the processor to fail.

  • Issue with user provided data escaping parent nest, e.g. "Escape

    "

@hxtree hxtree added the help wanted Extra attention is needed label Feb 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
help wanted Extra attention is needed security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hxtree