ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Wow. Just ran into this SIX MONTHS OLD issue today.

June 13, 2011 6:54pm

Subscribe [3]
  • #1 / Jun 13, 2011 6:54pm

    Adrienne L. Travis

    213 posts

    This question may be related to a resolved thread.

    It’s a major issue—“either (a) turn off an important security check, (b) disable important member-facing functionality, or (c) have PDF files potentially fail to upload and seriously piss off a client” is REALLY not an acceptable set of alternatives.

    Is there any word on a fix for this being in a version soon?

  • #2 / Jun 14, 2011 2:57pm

    John Henry Donovan

    12339 posts

    Adrienne,

    What version and build do you currently have installed?

    XSS filter is always going to err on the side of false positives, the 2.1.5 beta release did add back 2 hidden config values- xss_clean_member_group_exception and xss_clean_member_exception.
    So you can leave xss filtering on- and override it for certain groups and/or members. 

    With the EE2.2 release scheduled for the end of this month these will be available to you

    Does this help?

  • #3 / Jun 14, 2011 3:10pm

    Adrienne L. Travis

    213 posts

    We’re running 2.1.3, can’t check the build # right at this moment.

    Sure, I understand that it will be fixed at “the end of this month”, but it’s amazingly frustrating to discover this in the middle of a client project, and find that it’s been a known issue for SIX MONTHS. As it is, we can’t wait for the upgrade and we can’t deploy a beta to production, and so we’re going to either DOWNGRADE to 2.1.2 or write some sort of workaround (which means extra development time).

    What really gets me is not even just that it’s a known issue, but that it’s a known issue with NO acceptable official workaround (“turn off XSS filtering” isn’t an ACCEPTABLE workaround, it leaves huge security holes).

  • #4 / Jun 15, 2011 12:59pm

    Sue Crocker

    26054 posts

    Hi, Adrienne. The release date for 2.2 is scheduled for the 22nd of this month. Which is a few days from now. I can understand your frustration. We’ve fixed a lot of bugs this time around, and we’ve beefed up our dev and testing staff.

    I wouldn’t downgrade to EE2.1.2. it had it’s own issues.

    I’d temporarily disable xss sanitizing and when 2.2 comes out next week, deploy it on a local server, and test your .pdf files. You do have the option of FTPing up the problematic .pdf files as well. NOTE: this is a temporary problem.

  • #5 / Jun 15, 2011 3:27pm

    Adrienne L. Travis

    213 posts

    FTP doesn’t work for the client, who needs to be able to upload PDFs themselves. Also, 2.2 may break compatibility with other addons we are using, so we are really hesitant to deploy it a week before our project goes to QA on the 28th.

    But yes, I understand that the problem is temporary, in the sense of only having been a known issue to EllisLab for *six months* and being scheduled to go away (for people who can upgrade) later on this month.

    I am really frustrated, is all. And that makes me unhappy since i normally really love EE and the EllisLab folks. You guys just seem to have really fallen down on this one.

  • #6 / Jun 16, 2011 9:29am

    Sue Crocker

    26054 posts

    I can understand your frustration. Just out of curiosity, which add-ons are you worried about? We have contacted quite a few third party developers and they should be updating their offerings.

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases