Commit Graph
28 Commits
Author SHA1 Message Date
Bharat Mediratta bf2bb3e1ea Update copyright to 2012. #1822 2012-02-27 09:48:23 -08:00
Bharat Mediratta 423daa52d5 Update copyright to 2011. 2011-01-21 23:01:06 -08:00
Bharat Mediratta c3c2b45280 Update the copyright to 2010. It's only 3 months into the year :-) 2010-03-03 10:15:34 -08:00
Bharat Mediratta 76da85a1a0 Extend Gallery_Unit_Test_Case instead of Unit_Test_Case. 2010-01-19 22:38:19 -08:00
Tim Almdal 719b111219 Correct indentation 2009-09-23 14:38:38 -07:00
Andy Staudacher 2e23ae98c4 - Add theme->movie_menu() to whitelisted methods.
- xss_data checkpoint
2009-09-17 14:12:43 -07:00
Andy Staudacher d2cea7905e Remove debugging code 2009-09-01 00:53:17 -07:00
Andy Staudacher c0d4937e43 Fix bug in XSS scanner for <script> block @ position 0 of inline_html 2009-09-01 00:52:21 -07:00
Andy Staudacher 50c8b96405 Add XSS check for HTML attributes 2009-08-31 21:17:35 -07:00
Andy Staudacher 48050aca41 Add XSS check to ensure that html::js_string() is not preceded by a quote. 2009-08-31 19:53:53 -07:00
Andy Staudacher 26f6d8192f Adding XSS test for href="javascript: and onclick="..." 2009-08-31 01:11:50 -07:00
Andy Staudacher ddb84c84e1 Rename mark_safe() to mark_clean() 2009-08-31 00:42:18 -07:00
Andy Staudacher 0a0c7a78e6 Check for href="<?= $foo ?>" (malicious "javascript:..." string) 2009-08-30 21:25:21 -07:00
Andy Staudacher df38a890a6 Tabs to spaces cleanup 2009-08-30 18:07:13 -07:00
Andy Staudacher beb711d6a0 Rename clean_js to js_string and have it return a complete JS string (with delimiters) instead of just the string contents.
Benefits: Using json_encode(), which is very robust. And as a user, it's clearer how to use this API compared to what it was before.
2009-08-30 15:21:02 -07:00
Andy Staudacher 22aa0b3092 Add $theme-> methods to Xss whitelist for HTML safety.
Updating XSS golden file.
2009-08-30 07:25:49 -07:00
Andy Staudacher b9bd1681a3 Update all code to use helper method html::clean(), html::purify(), ... instead of SafeString directly. 2009-08-29 22:54:20 -07:00
Andy Staudacher 952c885609 Adding html::clean(), ::purify(), etc. 2009-08-29 22:31:23 -07:00
Andy Staudacher b4b638be44 Undo url helper changes - url methods no longer return a SafeString.
Adding SafeString::of_safe_html() calls where urls are passed as parameters to t() and t2().
2009-08-29 16:28:30 -07:00
Andy Staudacher d5660d2d3e Fixing all detected XSS vectors in PHP->JS code.
Xss: Rename UNKNOWN back to DIRTY, JS_XSS to DIRTY_JS.
(using a different flag value to highlight potential XSS vectors in JS)
2009-08-29 13:41:18 -07:00
Andy Staudacher a10063ff68 Add more factory methods for convenience:
SafeString::purify() and SafeString::of_safe_html().

Removing SafeString::mark_html_safe() since it's no longer needed.
2009-08-29 12:34:09 -07:00
Andy Staudacher 1d633457c4 Have url::site() and other methods return a SafeString, just as t() and t2().
Benefits:
 - url::site() is often used in views and we can ensure in the url class that returned strings are indeed safe for use in HTML. Makes the list of vars of unknown safety status shorter.
 - url::site() is often used as message parameter to t() and t2(). The parameter would be HTML-escaped if it wasn't marked as safe HTML already. Makes the usage simpler / shorter.
2009-08-29 11:31:00 -07:00
Andy Staudacher 020281d932 Adding SafeString which is going to replace p::clean() and p::purify().
Refactoring of Xss_Security_Test.
t() and t2() return a SafeString instance.

TODO:
 - Update all code to use SafeString where appropriate.
 - Update golden fole of Xss_Security_Test
 - Stop reporting CLEAN vars in Xss_Security_Test
2009-08-29 10:45:47 -07:00
Bharat Mediratta b46998e392 Update Xss_Security_Test to know about p::purify() and checkpoint the
golden file.
2009-07-16 10:24:10 -07:00
Andy Staudacher 329bd8caa1 Remove source code copy artefact 2009-06-05 18:31:15 -07:00
Bharat Mediratta 743b321154 Change "CLEAN" to an empty string to see if it's better visually.
Looks like it is.
2009-06-04 12:23:12 -07:00
Bharat Mediratta a049de28ac Update the clean/dirty format, check all ffiles instead of just one (which was for debugging) 2009-05-31 00:13:28 -07:00
Bharat Mediratta ad81861c33 First pass at an XSS security test, along with the "p" helper which
can clean HTML output.
2009-05-31 00:11:02 -07:00