Hello Community,
in CMSimple_XH 1.5.4 a check for valid user input for all the values of GET and POST parameters was introduced as additional security and stability measure. Otherwise an attacker might fool various routines by using unexpected non UTF-8 byte sequences. In CMSimple_XH 1.6 this check was extended to all SERVER variable values as well as the GET and POST keys. I suggest that we add this additional security measure for XH 1.5.10.
However, I'm not yet sure about the negative performance impact. It seems the current implementation takes quite some time, and should be improved. I'll open another thread regarding this issue.
Christoph
XH 1.5.10: Extend checking input for valid UTF-8
XH 1.5.10: Extend checking input for valid UTF-8
Christoph M. Becker – Plugins for CMSimple_XH
Re: XH 1.5.10: Extend checking input for valid UTF-8
Oops--I'd totally forgotten to put this issue on the roadmap. As it seems, it might be better to leave that as is--at least the issue had to be investigated more thouroughly, see http://cmsimpleforum.com/viewtopic.php?f=10&t=7182.
Christoph M. Becker – Plugins for CMSimple_XH