THe objective of this module is to prevent a successful intruder to cause too miuch harm. Thus we should also disabel the possibility to add JS (and other potentially harmful stuff) to input.

Comments

pwolanin’s picture

can we use the list of tags from filter_xss_admin? If the module doesn't require the use of an HTML filter for all formats, it wold seem too easy to bypass by just omitting the filter?

coltrane’s picture

There are some legitimate uses for Javascript via user-input. Perhaps this could be a setting?

greggles’s picture

I agree that there are legitimate uses of JS/flash so this feels to me like something that should be handled via a detective process that is reviewed by humans rather than a preventive solution.

security_review.module already has a feature like this that audits and reports on field/node/comment bodies so I think this issue should be marked "won't fix" in favor of that solution.

greggles’s picture

Title: Check input formats for dangerous input options (Javascript, flash, ...) » Add links to other relevant modules to paranoia project page
Status: Active » Needs review

Updating title so this module can just suggest security_review instead.

Anything else we should suggest?

greggles’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.