stian/gallery3
1
0
Fork 0
mirror of https://github.com/Pathduck/gallery3.git synced 2026-05-11 15:19:09 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,074 Commits 4 Branches 0 Tags
77ec06166320dee631bbffcf3d57b0e2debcb157
Commit Graph

26 Commits

Author SHA1 Message Date
Bharat Mediratta
c3c2b45280 Update the copyright to 2010. It's only 3 months into the year :-) 2010-03-03 10:15:34 -08:00
Bharat Mediratta
76da85a1a0 Extend Gallery_Unit_Test_Case instead of Unit_Test_Case. 2010-01-19 22:38:19 -08:00
Tim Almdal
719b111219 Correct indentation 2009-09-23 14:38:38 -07:00
Andy Staudacher
2e23ae98c4 - Add theme->movie_menu() to whitelisted methods. 
- xss_data checkpoint
 2009-09-17 14:12:43 -07:00
Andy Staudacher
d2cea7905e Remove debugging code 2009-09-01 00:53:17 -07:00
Andy Staudacher
c0d4937e43 Fix bug in XSS scanner for <script> block @ position 0 of inline_html 2009-09-01 00:52:21 -07:00
Andy Staudacher
50c8b96405 Add XSS check for HTML attributes 2009-08-31 21:17:35 -07:00
Andy Staudacher
48050aca41 Add XSS check to ensure that html::js_string() is not preceded by a quote. 2009-08-31 19:53:53 -07:00
Andy Staudacher
26f6d8192f Adding XSS test for href="javascript: and onclick="..." 2009-08-31 01:11:50 -07:00
Andy Staudacher
ddb84c84e1 Rename mark_safe() to mark_clean() 2009-08-31 00:42:18 -07:00
Andy Staudacher
0a0c7a78e6 Check for href="<?= $foo ?>" (malicious "javascript:..." string) 2009-08-30 21:25:21 -07:00
Andy Staudacher
df38a890a6 Tabs to spaces cleanup 2009-08-30 18:07:13 -07:00
Andy Staudacher
beb711d6a0 Rename clean_js to js_string and have it return a complete JS string (with delimiters) instead of just the string contents. 
Benefits: Using json_encode(), which is very robust. And as a user, it's clearer how to use this API compared to what it was before.
 2009-08-30 15:21:02 -07:00
Andy Staudacher
22aa0b3092 Add $theme-> methods to Xss whitelist for HTML safety. 
Updating XSS golden file.
 2009-08-30 07:25:49 -07:00
Andy Staudacher
b9bd1681a3 Update all code to use helper method html::clean(), html::purify(), ... instead of SafeString directly. 2009-08-29 22:54:20 -07:00
Andy Staudacher
952c885609 Adding html::clean(), ::purify(), etc. 2009-08-29 22:31:23 -07:00
Andy Staudacher
b4b638be44 Undo url helper changes - url methods no longer return a SafeString. 
Adding SafeString::of_safe_html() calls where urls are passed as parameters to t() and t2().
 2009-08-29 16:28:30 -07:00
Andy Staudacher
d5660d2d3e Fixing all detected XSS vectors in PHP->JS code. 
Xss: Rename UNKNOWN back to DIRTY, JS_XSS to DIRTY_JS.
(using a different flag value to highlight potential XSS vectors in JS)
 2009-08-29 13:41:18 -07:00
Andy Staudacher
a10063ff68 Add more factory methods for convenience: 
SafeString::purify() and SafeString::of_safe_html().

Removing SafeString::mark_html_safe() since it's no longer needed.
 2009-08-29 12:34:09 -07:00
Andy Staudacher
1d633457c4 Have url::site() and other methods return a SafeString, just as t() and t2(). 
Benefits:
 - url::site() is often used in views and we can ensure in the url class that returned strings are indeed safe for use in HTML. Makes the list of vars of unknown safety status shorter.
 - url::site() is often used as message parameter to t() and t2(). The parameter would be HTML-escaped if it wasn't marked as safe HTML already. Makes the usage simpler / shorter.
 2009-08-29 11:31:00 -07:00
Andy Staudacher
020281d932 Adding SafeString which is going to replace p::clean() and p::purify(). 
Refactoring of Xss_Security_Test.
t() and t2() return a SafeString instance.

TODO:
 - Update all code to use SafeString where appropriate.
 - Update golden fole of Xss_Security_Test
 - Stop reporting CLEAN vars in Xss_Security_Test
 2009-08-29 10:45:47 -07:00
Bharat Mediratta
b46998e392 Update Xss_Security_Test to know about p::purify() and checkpoint the 
golden file.
 2009-07-16 10:24:10 -07:00
Andy Staudacher
329bd8caa1 Remove source code copy artefact 2009-06-05 18:31:15 -07:00
Bharat Mediratta
743b321154 Change "CLEAN" to an empty string to see if it's better visually. 
Looks like it is.
 2009-06-04 12:23:12 -07:00
Bharat Mediratta
a049de28ac Update the clean/dirty format, check all ffiles instead of just one (which was for debugging) 2009-05-31 00:13:28 -07:00
Bharat Mediratta
ad81861c33 First pass at an XSS security test, along with the "p" helper which 
can clean HTML output.
 2009-05-31 00:11:02 -07:00