Issue #29: June 13, 2003

13th June 2003 by Harald Ponce de Leon

By Harald Ponce de Leon

June 13, 2003

osCommerce 2.2 Milestone 2 Release Date
User Input Now Sanitized
default.php Now index.php
New In The Press Section

Discussions regarding this weekly report can be found here:

osCommerce 2.2 Milestone 2 Release Date

The release date for osCommerce 2.2 Milestone 2 has been set to 17.06.2003.

This allows the Administration Tool to be put through the standards updates routine, and to perform a security audit on the code, which has already been performed on the Catalog module.

We appreciate it if you can help strengthen the codebase by testing the CVS sources, and by submiting problems to the Bug Reporter.

The Bug Reporter can be reached here:

User Input Now Sanitized

All user input provided on the Catalog module is now being put through a "strip-then-parse" process to prevent Cross Site Scripting vulnerabilities from occuring.

The "stripping" part replaces all occurances of "<" and ">" characters in the user input with "_" characters, and the "parsing" part wraps the string around htmlspecialchars() or a weaker equivalent where appropriate (eg, form input fields) when it is being displayed.

A "strip-then-parse" proposal will soon be added to the Wiki documentation site which will go into further details of the implementatation.

Once the proposal is online, it will be mentioned in the pending Weekly Summary Report as it is important that contribution authors follow the project standards to keep their work secure.

The Wiki documentation site can be reached here:

default.php Now index.php

The main catalog page has been renamed from default.php to index.php to minimize problems encountered on new installations.

All three modules (Catalog, Administration Tool, Installation) are now consistent with using index.php.

New In The Press Section

A new In The Press section has been added to the support site, which contains short blurbs on the project being reviewed in the public media.

This section has been pending for a while to be added to the site, with Internet Professionell giving it a higher priority on our to-do list when it gave the project a whopping 94% rating in an open source online shop comparison review.

If you find the project being reviewed in the public media, please inform us about it and if possible forward the related material.

The new In The Press section can be reached here:

Zurück zu den Nachrichten