XSS
Cross-site scripting
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/Vulnerability
The following list of articles include references to XSS and how to avoid leaving this common vulnerability in your modules.
http://en.wikipedia.org/wiki/Vulnerability
The following list of articles include references to XSS and how to avoid leaving this common vulnerability in your modules.
Sod input formats, it's ok for me
Submitted by AjK on 12 December 2008 - 1:55pmToday this arrived on my desk...
- $node->format = 2; // Allow for HTML in Node
This snippet was from code that was about to create a new node. The body of this node came in via an external XML/RSS feed.
OK buddy, you may trust this source but can you expect everyone you are going to share your module with should inherit your implict trust?
In fact, I saw this in two CVS applications today. Both declined (for more than just this).
Getting nodes and display a list
Submitted by AjK on 9 October 2008 - 3:00pmThis article focuses on one of the main reasons applications are rejected, that it acquires a list of nodes and renders some sort of output to the browser. It's a common task often seen and often done totally wrong.
So, by example, lets look at a snippet of often seen code that's reviewed and rejected and then we'll break it down and examine each point.
- function foo() {
- $sql = "SELECT nid, title FROM {node} WHERE type = 'foo'";
- $result = db_query($sql);
- while ($row = db_fetch_array($r)) {
- $output .= '<li><a href="node/'.$row['nid'].'">'. $row['title'].'</li>';
- }
- return $output;
- }
