Your question goes beyond symfony and escaping. If you are not sure about the code that will be entered in the CMS, don't allow for HTML code. Use Markdown, BBCode or whatever convention you want, but strip all HTML entered by the user. There is no way to allow direct HTML formatting AND be safe from XSS at the same time.
The CMS is designed to be used by editors who don't want to harm the site, so HTML can be allowed. But if your need is different, specialize the rich text slot and make it markdown only. François 2007/10/31, Mohammad Asif Ali <[EMAIL PROTECTED]>: > > > Thanks for your post. > > I fixed the problem in sfSimpleCMS plugin using the > escaping_strategy : bc > > but this causes XSS in sfSimpleForum plugin. > The fix for this is escaping_strategy : both > > both plugins are using different setting for escaping_strategy. > > could you please tell me how can i use both the plugins without any > problem. > > > Thanks in adavance :o) > > > > > On Oct 30, 1:05 pm, "Francois Zaninotto" <[EMAIL PROTECTED] > project.com> wrote: > > Yes, BC means backwards compatible here, too. It means that escaping is > not > > turned on by default, but you can get escaped variables if you aske them > one > > by one by way of the $sf_data container. > > > > François > > > > 2007/10/30, Steve Daniels <[EMAIL PROTECTED]>: > > > > > > > > > > > > > > > > > I might be completely off base here, but normally when I see "bc" > > > mentioned it refers to "backwards compatibility" > > > > > HTH > > > > > Steve > > > > > On 30/10/2007, Mohammad Asif Ali <[EMAIL PROTECTED]> wrote: > > > > > > Hi, > > > > > > Thanks for your help. I fixed it. > > > > > > i put escaping_strategy : bc then its solved. > > > > > > i understand the other values for escaping_strategy (both, on , > off) > > > > but what is the use of "bc". > > > > > > Thanks in advance :o) > > > > > > On Oct 29, 7:11 pm, "Francois Zaninotto" <[EMAIL PROTECTED] > - > > > > project.com> wrote: > > > > > Hi Asif, > > > > > > > Do you have output escaping turned on? If so, you must use the > latest > > > trunk > > > > > version of the plugin. > > > > > > > François > > > > > > > 2007/10/29, Mohammad Asif Ali <[EMAIL PROTECTED]>: > > > > > > > > Hi, > > > > > > > > I have installed the sfSimpleCMS plugin and also enabled the > > > richtext > > > > > > editing using tinymce. > > > > > > The problem is when i add some rich text and viewing the page > its > > > > > > simply showing the html tags and its not parsing the html. > > > > > > > > can anyone tell me what i am missing? Thanks in advance > > > > > > > > --Asif-- > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
