a_bertrand Posted April 2, 2012 Share Posted April 2, 2012 The new release offers increased security features. By default now, normal player cannot send HTML within any of the GET / POST variables. If this happen, an error will be displayed. You may of course disable this feature from within the admin panel. The result of such function is that even if a module forget to use htmlentities or other filter function, the game should not be vulnerable to XSS attacks. That doesn't mean you should not anymore filter the inputs of the users, yet it adds another layer of protection. The feature is disabled for admins as they should be able to edit tables and messages from the admin panel. File changed in this version: index.php install/installer.php config/config.php libs/common.php libs/template.php templates/simple_brown/functions.php and added a new module: admin_html_filter There is as well a new version of the dev version, which have a nicer PrettyMessage function however the feature of the HTML filter is not part of the DEV version.En Enjoy! Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.