Leigh B Stoller authored
We had a couple of different problems actually. * We allow users to insert html into many DB fields (say, a project or experiment description). * We did not sanitize that output when displaying back. * We did not sanitize initial page arguments that were reflected in the output (say, in a form). Since no one has the time to analyze every line of code, I took a couple of shortcuts. The first is that I changed the regex table to not allow any <> chars to go from the user into the DB. Brutal, but in fact there are only a couple of places where a user legitimately needs them. For example, a startup command that includes redirection. I handle those as special cases. As more come up, we can fix them. I did a quick pass through all of the forms, and made sure that we run htmlspecialchars on everything including initial form args. This was not too bad cause of the way all of the forms are structured, with a "formfields" array. I also removed a bunch of obsolete code and added an update script to actually remove them from the www directory. Lastly, I purged some XMLRPC code I did a long time ago in the Begin Experiment path. Less complexity, easier to grok and fix. modified: sql/database-fill.sql modified: sql/dbfill-update.sql6cf701f9
To learn more about this project, read the wiki.