Strict Standards: Non-static method Flyspray::absoluteURI() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/constants.inc.php on line 29 Strict Standards: Non-static method Flyspray::get_tmp_dir() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/constants.inc.php on line 78 Warning: session_start(): open(/data/web/tmp/sessions/sess_1ut7helvf1ts3a1dac6m1dqke3, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_gloekbbl8ab2p0e4rbgisnhot3, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_srvlm3oj2i48lepsmhd38kd1q7, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_t9475t8bce3pcbb6r643kob4n2, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_4cd1orjiej37uccpalstrndqa2, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_67lbknevf3hrqmk0lrfb019un4, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_0toae3aq7p595jb1bjt824dg91, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_f7nqnrcl7kk3tvormfga7io5s2, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_jg4j0u3s8v73n42opd4snr5jk3, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_1lokhlo4a3klki8e80v8ftdgq1, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 750 Strict Standards: Non-static method Flyspray::base_version() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 29 Strict Standards: Non-static method Flyspray::base_version() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 29 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 39 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 40 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 42 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 677 Strict Standards: Non-static method Req::enum() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 20 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 37 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::enum() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 37 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 26 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 26 Strict Standards: Non-static method Cookie::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 33 Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 41 Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 82 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 83 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 84 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 87 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 88 Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 100 Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100 Strict Standards: Non-static method Flyspray::requestDuplicated() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 109 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 148 Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 15 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Flyspray::GetTaskDetails() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 17 Strict Standards: Non-static method Flyspray::GetAssignees() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 358 Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 34 Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100 Strict Standards: Non-static method Post::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 34 Strict Standards: Non-static method TextFormatter::render() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 128 FS#131 : Better detection for "potentially unsafe contents"

Anwiki CMS

Anwiki CMS : the first wiki/CMS dedicated to multilingual contents
Tasklist

FS#131 - Better detection for "potentially unsafe contents"

Attached to Project: Anwiki CMS
Opened by Strict Standards: array_map() expects parameter 1 to be a valid callback, non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 281 anw (anw) - Strict Standards: Non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 613 Saturday, 18 September 2010, 16:06 GMT
Task Type Bug Report
Category Security
Status New
Assigned To No-one
Operating System All
Severity Low
Priority Normal
Reported Version Anwiki 0.2.2
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

As suggested by trev, detection of "potentially unsafe contents" could be better:

A script tag isn't the only way to insert "dangerous content" into the page. Consider the following examples:

<img src="dummy" onerror="alert('dangerous code')" />
<object data="malicious.html" type="text/html"></object>
<meta http-equiv="refresh" content="15;url=malicious.html"/>
<div style="top: expression(alert('dangerous code'))" />
<a href="javascript:alert('dangerous code')">Click me</a>

Properly sanitizing HTML code takes a whole lot more effort, typically it is about whitelisting a certain set of tags and attributes as well as additional checks for attribute that could contain URLs. See for example http://hg.mozilla.org/mozilla-central/file/c1bb86ae655a/content/base/src/nsContentSink.cpp#l1728
This task depends upon

Comment by anw (anw) - Strict Standards: Non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 613 Saturday, 18 September 2010, 16:27 GMT

Loading...

Warning: Unknown: open(/data/web/tmp/sessions/sess_1lokhlo4a3klki8e80v8ftdgq1, O_RDWR) failed: Disk quota exceeded (122) in Unknown on line 0 Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (0;660;/data/web/tmp/sessions) in Unknown on line 0