From db902e990d6ff5d2627254bc6841c1c22cfedca4 Mon Sep 17 00:00:00 2001 From: Pierrick Le Gall Date: Wed, 17 May 2023 15:58:12 +0200 Subject: [PATCH] details about XSS --- Security-and-coding.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Security-and-coding.md b/Security-and-coding.md index fb3a136..f150842 100644 --- a/Security-and-coding.md +++ b/Security-and-coding.md @@ -61,7 +61,17 @@ DELETE FROM '.OLD_PERMALINKS_TABLE.' ## (stored) XSS -TODO explain what it is, when it's a problem and when it's not a problem but a feature +Read a full explanation about [Cross Site Scripting (XSS) vulnerability on Wikipedia](https://en.wikipedia.org/wiki/Cross-site_scripting). + +To avoid XSS in Piwigo, we must avoid using HTML/Javascript "as is" when provided by user input. But wait, it's not as simple as using `strip_tags` systematically. Indeed, all HTML/Javascript is not a problem. To make things simple, **administrators** are allowed to inject HTML/JS code in photo/album descriptions. That's a feature, not a vulnerability. + +For lower user status, Piwigo must remove unexpected content, like this: + +``` + $field => strip_tags($_POST[$field]) // strip_tags prevents from XSS attempt +``` + +Generally speaking, use such a protection on gallery side (when adding a user comment for example). ## CSRF