| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2009-08-30 | Rename clean_js to js_string and have it return a complete JS string (with ↵ | Andy Staudacher | |
| delimiters) instead of just the string contents. Benefits: Using json_encode(), which is very robust. And as a user, it's clearer how to use this API compared to what it was before. | |||
| 2009-08-30 | Add $theme-> methods to Xss whitelist for HTML safety. | Andy Staudacher | |
| Updating XSS golden file. | |||
| 2009-08-29 | Update all code to use helper method html::clean(), html::purify(), ... ↵ | Andy Staudacher | |
| instead of SafeString directly. | |||
| 2009-08-29 | Adding html::clean(), ::purify(), etc. | Andy Staudacher | |
| 2009-08-29 | Undo url helper changes - url methods no longer return a SafeString. | Andy Staudacher | |
| Adding SafeString::of_safe_html() calls where urls are passed as parameters to t() and t2(). | |||
| 2009-08-29 | Fixing all detected XSS vectors in PHP->JS code. | Andy Staudacher | |
| Xss: Rename UNKNOWN back to DIRTY, JS_XSS to DIRTY_JS. (using a different flag value to highlight potential XSS vectors in JS) | |||
| 2009-08-29 | Add more factory methods for convenience: | Andy Staudacher | |
| SafeString::purify() and SafeString::of_safe_html(). Removing SafeString::mark_html_safe() since it's no longer needed. | |||
| 2009-08-29 | Have url::site() and other methods return a SafeString, just as t() and t2(). | Andy Staudacher | |
| Benefits: - url::site() is often used in views and we can ensure in the url class that returned strings are indeed safe for use in HTML. Makes the list of vars of unknown safety status shorter. - url::site() is often used as message parameter to t() and t2(). The parameter would be HTML-escaped if it wasn't marked as safe HTML already. Makes the usage simpler / shorter. | |||
| 2009-08-29 | Adding SafeString which is going to replace p::clean() and p::purify(). | Andy Staudacher | |
| Refactoring of Xss_Security_Test. t() and t2() return a SafeString instance. TODO: - Update all code to use SafeString where appropriate. - Update golden fole of Xss_Security_Test - Stop reporting CLEAN vars in Xss_Security_Test | |||
| 2009-07-16 | Update Xss_Security_Test to know about p::purify() and checkpoint the | Bharat Mediratta | |
| golden file. | |||
| 2009-06-05 | Remove source code copy artefact | Andy Staudacher | |
| 2009-06-04 | Change "CLEAN" to an empty string to see if it's better visually. | Bharat Mediratta | |
| Looks like it is. | |||
| 2009-05-31 | Update the clean/dirty format, check all ffiles instead of just one (which ↵ | Bharat Mediratta | |
| was for debugging) | |||
| 2009-05-31 | First pass at an XSS security test, along with the "p" helper which | Bharat Mediratta | |
| can clean HTML output. | |||
 |
index : gallery3.git | |
| A clone of the Gallery3 code for testing and development. | root |
| summaryrefslogtreecommitdiff |