Thread

This question may be related to a resolved thread.

It’s a major issue—“either (a) turn off an important security check, (b) disable important member-facing functionality, or (c) have PDF files potentially fail to upload and seriously piss off a client” is REALLY not an acceptable set of alternatives.

Is there any word on a fix for this being in a version soon?

Adrienne,

What version and build do you currently have installed?

XSS filter is always going to err on the side of false positives, the 2.1.5 beta release did add back 2 hidden config values- xss_clean_member_group_exception and xss_clean_member_exception.
So you can leave xss filtering on- and override it for certain groups and/or members. 

With the EE2.2 release scheduled for the end of this month these will be available to you

Does this help?

We’re running 2.1.3, can’t check the build # right at this moment.

Sure, I understand that it will be fixed at “the end of this month”, but it’s amazingly frustrating to discover this in the middle of a client project, and find that it’s been a known issue for SIX MONTHS. As it is, we can’t wait for the upgrade and we can’t deploy a beta to production, and so we’re going to either DOWNGRADE to 2.1.2 or write some sort of workaround (which means extra development time).

What really gets me is not even just that it’s a known issue, but that it’s a known issue with NO acceptable official workaround (“turn off XSS filtering” isn’t an ACCEPTABLE workaround, it leaves huge security holes).

Hi, Adrienne. The release date for 2.2 is scheduled for the 22nd of this month. Which is a few days from now. I can understand your frustration. We’ve fixed a lot of bugs this time around, and we’ve beefed up our dev and testing staff.

I wouldn’t downgrade to EE2.1.2. it had it’s own issues.

I’d temporarily disable xss sanitizing and when 2.2 comes out next week, deploy it on a local server, and test your .pdf files. You do have the option of FTPing up the problematic .pdf files as well. NOTE: this is a temporary problem.

FTP doesn’t work for the client, who needs to be able to upload PDFs themselves. Also, 2.2 may break compatibility with other addons we are using, so we are really hesitant to deploy it a week before our project goes to QA on the 28th.

But yes, I understand that the problem is temporary, in the sense of only having been a known issue to EllisLab for *six months* and being scheduled to go away (for people who can upgrade) later on this month.

I am really frustrated, is all. And that makes me unhappy since i normally really love EE and the EllisLab folks. You guys just seem to have really fallen down on this one.

I can understand your frustration. Just out of curiosity, which add-ons are you worried about? We have contacted quite a few third party developers and they should be updating their offerings.