Closed (fixed)
Project:
Paranoia
Version:
6.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
13 Jan 2009 at 21:23 UTC
Updated:
9 Aug 2012 at 17:01 UTC
THe objective of this module is to prevent a successful intruder to cause too miuch harm. Thus we should also disabel the possibility to add JS (and other potentially harmful stuff) to input.
Comments
Comment #1
pwolanin commentedcan we use the list of tags from filter_xss_admin? If the module doesn't require the use of an HTML filter for all formats, it wold seem too easy to bypass by just omitting the filter?
Comment #2
coltraneThere are some legitimate uses for Javascript via user-input. Perhaps this could be a setting?
Comment #3
gregglesI agree that there are legitimate uses of JS/flash so this feels to me like something that should be handled via a detective process that is reviewed by humans rather than a preventive solution.
security_review.module already has a feature like this that audits and reports on field/node/comment bodies so I think this issue should be marked "won't fix" in favor of that solution.
Comment #4
gregglesUpdating title so this module can just suggest security_review instead.
Anything else we should suggest?
Comment #5
greggleshttp://drupal.org/node/76935/revisions/view/2036906/2242950