Feature #6121
Add validator and filter for HTML
| Status: | Rejected | Start date: | ||
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | - | % Done: | 0% |
|
| Category: | Validation | |||
| Target version: | - | Estimated time: | 6.00 hours | |
| PHP Version: | Complexity: | |||
| Has patch: | No |
Description
We need a validator that can check for malicious content in strings that are supposed to contain some HTML. And it would be nice to have a filter to clean up messy stuff of that kind.
History
#1 Updated by Lukas Lentner over 5 years ago
Wouldn't it make sense to deligate this function to a rich text editor who so or so has to take care about the transformations between (in the older days) BE->DB. The validator should work hand in hand with this Transformator!
Or do you have other uses for this validator?
Lukas
#2 Updated by Lukas Lentner over 5 years ago
Is such a package planed?
- Richtexteditor
- Viewhelper for fluid
- gui by extjs
- complex transformation & validationsOr an adaption of an existing??
#3 Updated by Robert Lemke over 5 years ago
- Target version changed from 1.0 alpha 8 to 1.0 alpha 9
- Start date deleted (
2010-01-20) - Estimated time set to 6.00
#4 Updated by Karsten Dambekalns over 5 years ago
Lukas Lentner wrote:
Wouldn't it make sense to deligate this function to a rich text editor
No, it wouldn't. Because that would mean you are only protected when the content to deal with has been entered using the RTE.
#5 Updated by Robert Lemke about 5 years ago
- Target version deleted (
1.0 alpha 9)
#6 Updated by Bastian Waidelich over 3 years ago
- Status changed from New to Needs Feedback
- Has patch set to No
I think, this one can be closed as a validator for malicious HTML doesn't make sense IMO:
The rules for malicious HTML can change and depend on the context. So the output should be secured when outputted to the client. For RTEs we probably need something like t3lib_div::removeXSS().
#7 Updated by Christian Müller over 3 years ago
- Status changed from Needs Feedback to Closed
As Bastian said should be checked on output.
#8 Updated by Christian Müller over 3 years ago
- Status changed from Closed to Rejected