TextValidator is insecure
The TextValidator currently allows strings like
%3cspan style="color: #BBBBBB;"%3ea nice text%3c/span%3e
It seems like we can't solve this completely with filter_var because then characters like percent, semikolon, quotes etc. can't be used in a text. In general the test case lacks realistic string which should pass the validator.
[~BUGFIX] FLOW3 (Validation): The ValidatorResolver test case failed - but only if the Blog package was installed. This was due to some Blog model being used by a data provider which in reality should have been a sample, not existing class. Fixed that.
[~TASK] FLOW3 (Validation): The TextValidator was too restrictive because it did not allow line breaks and other common characters - now it does. However, it's not really secure yet. Relates to #3977
[+BUGFIX] Fluid (Core): Added some safe guard and aception to the Abstract Node which would exit with a fatal error in some cases.
#10 Updated by Christian Müller almost 8 years ago
- Status changed from Accepted to Rejected
- Assignee deleted (
The test improvements are in review now, I will close this, we could decide to deprecate the TextValidator at some point. I added also some longer comment to the TextValidator to point out that it won't make sure the validated string is secure in all possible output environments.