Plone CMS: Open Source Content Management

Sections

Personal tools

Log in
Join

You are here: Home → Products → AT Content Types → Roadmap → #1: Use scrubhtml to remove dangerous tags

Log in: Login Name

Password

Cookies are not enabled. You must enable cookies before you can log in.; Forgot your password?; New user?

Document Actions

#1: Use scrubhtml to remove dangerous tags

Contents

by Christian 'Tiran' Heimes — last modified June 11, 2006 - 00:20

CMFDefault is using a SGML Parser to remove harmful tags like script and object. ATCT should use a output transformation to achieve the same goal to work around site exploits

Proposed by

Tiran

Proposal type

Architecture

Assigned to release

AT Content Types 1.0

State

completed

Motivation

script and similar tags can be abused to hack a site.

Proposal

Use a SGML parser and a output transformation to remove the malicious tags

Implementation

* Write a better SGML parser than the one from CMFDefault. It has some issues like raising an exception for script or using str + str.

* use this transformation to output html

Deliverables

updates the portal transforms package
write some unit tests

Risks

it might remove more than we want

For any issues with the web site functionality, please file a ticket.

Please consult the policy on plone.org content if you want your content published on this site.

Servers and hosting by