mirror of
https://github.com/Piwigo/Piwigo.git
synced 2026-07-06 18:01:31 +02:00
details about XSS
+11
-1
@@ -61,7 +61,17 @@ DELETE FROM '.OLD_PERMALINKS_TABLE.'
|
||||
|
||||
## (stored) XSS
|
||||
|
||||
TODO explain what it is, when it's a problem and when it's not a problem but a feature
|
||||
Read a full explanation about [Cross Site Scripting (XSS) vulnerability on Wikipedia](https://en.wikipedia.org/wiki/Cross-site_scripting).
|
||||
|
||||
To avoid XSS in Piwigo, we must avoid using HTML/Javascript "as is" when provided by user input. But wait, it's not as simple as using `strip_tags` systematically. Indeed, all HTML/Javascript is not a problem. To make things simple, **administrators** are allowed to inject HTML/JS code in photo/album descriptions. That's a feature, not a vulnerability.
|
||||
|
||||
For lower user status, Piwigo must remove unexpected content, like this:
|
||||
|
||||
```
|
||||
$field => strip_tags($_POST[$field]) // strip_tags prevents from XSS attempt
|
||||
```
|
||||
|
||||
Generally speaking, use such a protection on gallery side (when adding a user comment for example).
|
||||
|
||||
## CSRF
|
||||
|
||||
|
||||
Reference in New Issue
Block a user