I noticed that as of 1.5.4 or 1.6 that {cms_selflink} has been modified to clean all parameters using cms_htmlentities().
While this is an generally a good security practice, I think that it hurts the flexibility of CMSMS for developers, without providing any security gains in the case of cms_selflink.
Here is why:
1. Loss of Flexibility
In order to keep my sites accessible I have made many links with an image followed by the link text encapsulated in tags. By making the visibility of the span tags none in the screen css, this gives a nice link image that still works in mobile and other applications.
HTML entities destroys this. Now I have to either change a large number of websites, or hack the tag when I upgrade them.
Another example is that I use Alby's TruetypeText module to generate nice link images and headlines, but it is always followed by the plain text encapsulated in tags. Again, html entities destroys both the image tags from TruetypeText and the span tags.
2. No Security Gains from Using this on CMS Selflink
In the vast majority of cases, CMS_Selflink is used by the site owner, designer, or authorized editors. These people do not have an incentive to put malicious code in the links, and if they did, they could do it anyway by hard coding the link. So using htmlentities to clean their input is no advantage.
In some cases modules may allow CMS_selflink to be included for front-end submissions. However, these submissions are supposed to be cleaned by the module at the time they are submitted.
So using HTMLentities in CMS Selflink doesn't really provide any gain in security, because if the link was submitted from the front end it should have already been cleaned.
I would like to suggest that future versions of Cms_selflink remove the htmlentities lines, or at least provide a parameter that can be used to turn it off.
Is anyone else agreeing or strongly disagreeing with me?
Thanks,
Ken
CMS_Selflink and HTMLEntities()
-
calguy1000
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Re: CMS_Selflink and HTMLEntities()
as responded to in the bug post, use {cms_selflink href='page'} it just returns the href to the page, then you can make whatever link you want.
i.e:
some text
Text is text, and should be treated as text.
i.e:
some text
Text is text, and should be treated as text.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
-
kendo451
Re: CMS_Selflink and HTMLEntities()
Sure that works, and I've done that in a few cases before.
But now we do not get the advantage of automatically finding the title for title='', and now I must change the templates and GCBs of about ten sites in order to keep them updated.
Sure, that's my problem.
My question above is, is there any real benefit to cleaning the params of the CMS_SELFLINK tag? I don't think so.
You think so, Calguy?
But now we do not get the advantage of automatically finding the title for title='', and now I must change the templates and GCBs of about ten sites in order to keep them updated.
Sure, that's my problem.
My question above is, is there any real benefit to cleaning the params of the CMS_SELFLINK tag? I don't think so.
You think so, Calguy?
