Strict Standards: Non-static method Flyspray::absoluteURI() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/constants.inc.php on line 29 Strict Standards: Non-static method Flyspray::get_tmp_dir() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/constants.inc.php on line 78 Warning: session_start(): open(/data/web/tmp/sessions/sess_d5ik4cgi2phlui6d2t4h2okfd4, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_me26rhua1q25pqs7accc2hg4q6, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_6mmkej9s68hdqjhffggkl3jnt4, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_q6n1gq8r8c6um5stpcv687ukk1, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_jufntf5vok11q33mrm0tsdd0i4, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_fn79rh2kf2jv80peg18s1128s7, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_lmir08k1lmfrkknvkfp0tnhk72, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_qdn6s5dmi5a90lp24o98mihe94, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_vcq606d853cvs4e88gcblp82t3, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_jo5mfk76ckiphe9r2h7oou3994, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 750 Strict Standards: Non-static method Flyspray::base_version() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 29 Strict Standards: Non-static method Flyspray::base_version() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 29 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 39 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 40 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 42 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 677 Strict Standards: Non-static method Req::enum() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 20 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 37 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::enum() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 37 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 26 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 26 Strict Standards: Non-static method Cookie::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 33 Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 41 Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 82 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 83 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 84 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 87 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 88 Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 100 Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100 Strict Standards: Non-static method Flyspray::requestDuplicated() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 109 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 148 Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 15 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Flyspray::GetTaskDetails() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 17 Strict Standards: Non-static method Flyspray::GetAssignees() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 358 Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 34 Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100 Strict Standards: Non-static method Post::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 34 Strict Standards: Non-static method TextFormatter::render() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 128 FS#131 : Better detection for "potentially unsafe contents"

Anwiki CMS

Anwiki CMS : the first wiki/CMS dedicated to multilingual contents
Tasklist

FS#131 - Better detection for "potentially unsafe contents"

Attached to Project: Anwiki CMS
Opened by Strict Standards: array_map() expects parameter 1 to be a valid callback, non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 281 anw (anw) - Strict Standards: Non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 613 Saturday, 18 September 2010, 16:06 GMT
Task Type Bug Report
Category Security
Status New
Assigned To No-one
Operating System All
Severity Low
Priority Normal
Reported Version Anwiki 0.2.2
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

As suggested by trev, detection of "potentially unsafe contents" could be better:

A script tag isn't the only way to insert "dangerous content" into the page. Consider the following examples:

<img src="dummy" onerror="alert('dangerous code')" />
<object data="malicious.html" type="text/html"></object>
<meta http-equiv="refresh" content="15;url=malicious.html"/>
<div style="top: expression(alert('dangerous code'))" />
<a href="javascript:alert('dangerous code')">Click me</a>

Properly sanitizing HTML code takes a whole lot more effort, typically it is about whitelisting a certain set of tags and attributes as well as additional checks for attribute that could contain URLs. See for example http://hg.mozilla.org/mozilla-central/file/c1bb86ae655a/content/base/src/nsContentSink.cpp#l1728
This task depends upon

Comment by anw (anw) - Strict Standards: Non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 613 Saturday, 18 September 2010, 16:27 GMT

Loading...

Warning: Unknown: open(/data/web/tmp/sessions/sess_jo5mfk76ckiphe9r2h7oou3994, O_RDWR) failed: Disk quota exceeded (122) in Unknown on line 0 Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (0;660;/data/web/tmp/sessions) in Unknown on line 0