[Owncloud] regarding quality

Bjoern Schiessle schiessle at owncloud.com
Mon Jul 2 08:07:12 UTC 2012


Hi Florian,

On Fri, 29 Jun 2012 20:07:37 +0200 Florian Rüchel wrote:
> concerning input sanatization, especially on forms:
> Maybe you should take a look at available form frameworks or start
> coding your own. Since I never did this on PHP (only WTForms for
> Python) I cannot direct you to one.
> You create a Form as a class, an XML file or any other representation
> and it is able to render it to HTML code. You later pass it the
> transmitted value and it will take on sanatization. This way it will
> always take care that your data is filtered like it should be.

I think we should always sanitize the output, not the input. People
should be able to name there files, directories, events,... however
they want. At the same time we have to take care that everything
displayed at the web interfaces is properly escaped.

We already implemented this as part of the template class and provide
a simple way through Util::sanitizeHTML() for it. Every developer
should take care to use the template class without disabled
sanitization and/or send all strings to Util::sanitizeHTML() before
displaying them on the web page.

cheers,
Björn



More information about the Owncloud mailing list