Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion CodeIgniter and XSS protection
CodeIgniter and XSS protection
  • El Forum
    Guest
  •  
#7
05-13-2011, 03:10 AM

[eluser]Padraic Brady[/eluser]
Quote:At the end, look again at my previous post, and you will find that I think, introductory articles on security issues such as yours, must be apreciated. The only objections have come from me, how can you have a conclusion, later, which connects the “security vulnerabilities” with “CodeIgniter developers” as “Responsible vendors” ? It doesnt make any sense for me. Its really like a mechanic who blame the hammer and screwdriver (his own equipment) when the door that he made were poor and resulted in his house robbed.

I'm not sure how you're interpreting my blog post so I'll clarify. My point was simply that distributing an XSS sanitiser which, in all probability, has undiscovered security vulnerabilities is not the mark of a responsible vendor (in this case, EllisLab and/or the CodeIgniter developers responsible for this function). Bear in mind my security report specifically recommended deprecating and removing the XSS sanitiser due to its high risk of being compromised. Let's be brutally honest here that EllisLab is not alone. PEAR, for example, continues to distribute a package called HTML_Safe which I also recommmended be removed - and it is an entire order of magnitude worse than CodeIgniter's XSS sanitiser. Would you call PEAR responsible?

It is simply my opinion that shipping risky software and downplaying the security impact of reported vulnerabilities (whether though innocent omission or not) is an irresponsible act. I'm trying to help here. I committed time to reviewing CodeIgniter at no cost and, despite having no reply from a developer, still kept my mouth shut for six weeks giving them all the time in the world to take action. The only reason I even blogged it is because of the lack of accurate disclosure.

As a user you should be asking EllisLab why some guy could report 7-8 vulnerabilities in the first place and how they will ensure such a security scenario will be actively prevented going forward. Hoping something is secure does not make it so, and the next review may not be performed by someone as friendly Smile.


Messages In This Thread
CodeIgniter and XSS protection - by El Forum - 05-10-2011, 06:04 PM
CodeIgniter and XSS protection - by El Forum - 05-11-2011, 12:37 AM
CodeIgniter and XSS protection - by El Forum - 05-11-2011, 02:15 AM
CodeIgniter and XSS protection - by El Forum - 05-11-2011, 03:52 AM
CodeIgniter and XSS protection - by El Forum - 05-11-2011, 04:36 AM
CodeIgniter and XSS protection - by El Forum - 05-12-2011, 10:28 PM
CodeIgniter and XSS protection - by El Forum - 05-13-2011, 03:10 AM
CodeIgniter and XSS protection - by El Forum - 05-13-2011, 03:29 AM
CodeIgniter and XSS protection - by El Forum - 05-13-2011, 03:47 AM
CodeIgniter and XSS protection - by El Forum - 05-13-2011, 05:41 AM
CodeIgniter and XSS protection - by El Forum - 05-13-2011, 05:44 AM
CodeIgniter and XSS protection - by El Forum - 05-13-2011, 06:24 AM
CodeIgniter and XSS protection - by El Forum - 05-13-2011, 07:36 AM
CodeIgniter and XSS protection - by El Forum - 05-13-2011, 08:06 AM
CodeIgniter and XSS protection - by El Forum - 05-13-2011, 09:01 AM
CodeIgniter and XSS protection - by El Forum - 05-14-2011, 02:01 AM
CodeIgniter and XSS protection - by El Forum - 05-14-2011, 02:01 AM
CodeIgniter and XSS protection - by El Forum - 05-14-2011, 07:14 AM
CodeIgniter and XSS protection - by El Forum - 05-16-2011, 08:25 AM
CodeIgniter and XSS protection - by El Forum - 05-17-2011, 01:34 AM
CodeIgniter and XSS protection - by El Forum - 06-23-2011, 08:58 PM
CodeIgniter and XSS protection - by El Forum - 04-21-2012, 11:13 PM
CodeIgniter and XSS protection - by El Forum - 04-28-2012, 05:45 AM



Theme © iAndrew 2016 - Forum software by © MyBB