details about XSS

Pierrick Le Gall
2023-05-17 15:58:12 +02:00
parent 70784e3993
commit db902e990d
+11 -1
@@ -61,7 +61,17 @@ DELETE FROM '.OLD_PERMALINKS_TABLE.'
## (stored) XSS
TODO explain what it is, when it's a problem and when it's not a problem but a feature
Read a full explanation about [Cross Site Scripting (XSS) vulnerability on Wikipedia](https://en.wikipedia.org/wiki/Cross-site_scripting).
To avoid XSS in Piwigo, we must avoid using HTML/Javascript "as is" when provided by user input. But wait, it's not as simple as using `strip_tags` systematically. Indeed, all HTML/Javascript is not a problem. To make things simple, **administrators** are allowed to inject HTML/JS code in photo/album descriptions. That's a feature, not a vulnerability.
For lower user status, Piwigo must remove unexpected content, like this:
```
$field => strip_tags($_POST[$field]) // strip_tags prevents from XSS attempt
```
Generally speaking, use such a protection on gallery side (when adding a user comment for example).
## CSRF