How is allowedHTML implemented in a module? If I allow HTML input in my module, is disallowed HTML stripped out somewhere along the line automatically (DBUtil::insertObject ??). I know that using DataUtil::formatForDisplayHTML() eliminates it from display, but is it ever stripped before entering the DB?
ultimate question: Do I need to do something in my module as I validate my user entry to ensure security in my module or is this handled automatically?
Watch
GitHub Core
Show your support for Zikula! Sign up at Github account and watch the Core project!
GitHub Modules
Forum Activity
- rgasch created topic »Using PageUtil::addVar() to load script code« 11:48 AM
- michiel responded to »password problem« 10:01 AM
- mazdev responded to »Hide "Register new account" and change template to 3 col« 07:50 AM
- mesteele101 created topic »Zikula 1.3.3 - Site Search 1.5.2 - Unable to turn off plug-ins« 07:48 AM
- mesteele101 responded to »ERR (3): E_USER_ERROR: Smarty error: [in pagesvar:pagesitem2en line XXX]…« 25. May
- mazdev responded to »Pages 2.5.0 and updating - Page not found« 25. May
- mesteele101 responded to »Zikula 1.3.3 - Selecting a category in Pages not working« 25. May
Zikula Blog
- Anatomy of Open Source Projects on Mar 07
- Continuous Review on Mar 01
- Not Invented Here on Feb 24
- How to Contribute Your Code at Github on Jan 13
- 10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
- Submitting Bug Report Tickets That Get Results on Aug 17
- Cozi Tricks #1: Syntax Highlighting on Aug 07
Login
allowedHTML ??
-
- Rank: Developer
- Registered: Jun 16, 2003
- Last visit: May 29, 2010
- Posts: 1966
Posted: Dec 09, 2009 - 12:35 PM
-
- Rank: Team Member
- Registered: Sep 06, 2006
- Last visit: May 09, 2010
- Posts: 2446
Posted: Dec 09, 2009 - 03:50 PM
The AllowedHTML is a responsability of the "Presentation Layer", then, your templates are the responsible ones to strip the not allowed tags with |pnvarprepfordisplay. But those settings can change in different ways, like change the output filter to Internal instead SafeHTML, so, makes no sense to strip them when storing the data in the Database.
DBUtil sanitizes the data that you're storing in the data base. If you're performing "manual" SQL queries, use DataUtil::formatForStore for each variable in that SQL.
--
- Mateo T. -
Mis principios... son mis fines
- Moderated by:
- Support
Users on-line
- 0 users
This list is based on users active over the last 60 minutes.
