From: Shaun M. <sh...@ae...> - 2004-09-03 13:47:16
|
On 3 Sep 2004, at 12:54, Matthew McNaney wrote: >> we can lock out all html tags from normal users leaving them just >> with BBCode? That would solve a great many of these types of security >> issues. > > Quick note: the hack works with BBCode as well > [img]index.php?module=users&doevil=1[/img] Oh well, there goes that plan. Does this mean the PEAR HTML_BBCodeParser needs changing or are the security changes to go into phpwebsite enough? In the meantime, In /conf/BBCodeParser.ini filters = Basic,Extended,Links,Images,Lists,Email needs to change to filters = Basic,Extended,Links,Lists,Email to block out image [img] tags. Shaun aegis design - http://www.aegisdesign.co.uk |