Re: [Phpwebsite-developers] Security Explained

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 3 Sep 2004, at 12:54, Matthew McNaney wrote:

>> we can lock out all html tags from normal users leaving them just
>> with BBCode? That would solve a great many of these types of security
>> issues.
>
> Quick note: the hack works with BBCode as well
> [img]index.php?module=users&doevil=1[/img]

Oh well, there goes that plan.

Does this mean the PEAR HTML_BBCodeParser needs changing or are the 
security changes to go into phpwebsite enough?

In the meantime,

In /conf/BBCodeParser.ini

filters     = Basic,Extended,Links,Images,Lists,Email

needs to change to

filters     = Basic,Extended,Links,Lists,Email

to block out image [img] tags.

Shaun
aegis design - http://www.aegisdesign.co.uk