Re: PHP snippets (once again)

Hi Kieran, you wrote on 07/05/2006 16:47:24:

>> Dear doc team,
>>
>> I looked at several snippets yesterday and to my horror many of  
>> them contain *obvious*, major security holes. I've spoken with the  
>> leader of the security team (chx) and we agreed to unpublish all  
>> obviously insecure snippets, then have a discussion based on  
>> numbers (ok vs. not ok) and how to proceed.
>>
>> In the limited sample set I've reviewed until now > 50% of the  
>> snippets either
>>
>> - bypass 'access' security (sometimes titles, sometimes full nodes)
>> - allow XSS
>> - allow SQL injection
>> - allow a combination of the above
>
>Snippets are driven by Fergus.  Fergus, what do you want us to do?
>
>Kieran

I haven't seen any insecure snippets Keiran, but, any *obvious* nasty ones 
should be removed.
to answer your question "what do you want us to do?" 

I suggest we leave in the warning that is on every snippet that is submitted 
correctly and don't approve any handbook pages that have any *obvious* security 
holes.

Fergus


--
Pending work: http://drupal.org/project/issues/documentation/
List archives: http://lists.drupal.org/pipermail/documentation/