Blog

Security Risk, second patch. PLEASE UPGRADE!

Hi all,
a new beta version (DaDaBIK 4.3 beta3) has been released in order to solve the second problem I post about a few days ago, the one related to the use of the html content type. First of all it is better to highlight that the problem could arise not only with the html content type but also with the rich_editor field type (together with another content type than html); I think the rich_editor is usually used together with the html content type (it should be) but maybe someone used this in conjunction with other content types.

After having looked at some HTML sanitization libraries, I finally choosed htmLawed. It seems to me that at the moment htmlpurifier is the most effective one in recognizing malicious code, but it appears to me too complex, heavy and it also doesn't support PHP 4. htmLawed seems a good compromise.

The library is now used to filter the content (html content type and rich_editor field type) before displaying it. You must however keep in mind that, as the documentation states, there are some minor cases in which htmLawed can fail.
Since some people asked me about previous releases, as I already told in a comment, the security issues highlighted during the last days also affect the older releases of DaDaBIK and not just the last one.

See the changelog for other details. The documentation has also been updated; if you have read the on-line documentation this morning there was a mistake about the version was related to: the documentation content was the new one (related to 4.3 beta3, already patched with htmLawed) but it stated to be about the 4.3 beta2 (which is not patched with htmLawed) so be sure to read the right one (the on-line mistake has now been corrected) in order to avoid misunderstandings about the security problems that affect your version.



Ciao,

Top