Simplifying SafeString a bit: From a XSS HTML security point of view, treat clean() and purify() the same. - gallery3.git - A clone of the Gallery3 code for testing and development.

diff options

author	Andy Staudacher <andy.st@gmail.com>	2009-09-04 10:11:42 -0700
committer	Andy Staudacher <andy.st@gmail.com>	2009-09-04 10:11:42 -0700
commit	c453c0ef8239bc79e484dd3feb9e275e942e9d48 (patch)
tree	1c2253016c217462df2cb87fc74fcfff497bac7a /lib/flowplayer.controls.swf
parent	1ffb5b24dff439b4a3e9e7f2df3af1a0f8e9e5a0 (diff)

Simplifying SafeString a bit: From a XSS HTML security point of view, treat clean() and purify() the same.

No longer run a safe HTML string through the HTML purifier (since it's already marked as safe). This also addresses the issue of calling purify() when no purifier is installed. In that case, we'd run clean() on a clean string (double HTML encoding). If this approach doesn't work out, we can still modify the fallback code of purify() to check if the string is already clean before calling clean() instead of purify().

Diffstat (limited to 'lib/flowplayer.controls.swf')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: