Interferon Posted October 9 Posted October 9 (edited) I am adding a file into our system and want to include a URL in the description. If I just enter a URL in the parameter, it does not show a hyperlink for the URL, it just appears as plain text. Is there a way to encode these in the description text? Edited October 9 by Interferon
Interferon Posted October 9 Author Posted October 9 (edited) Apparently you can just submit HTML to this and it will work. So you would never want to submit this directly from a desktop application without running it through your own PHP script to filter the fields. Edited October 9 by Interferon
Marc Posted October 10 Posted October 10 9 hours ago, Interferon said: o you would never want to submit this directly from a desktop application without running it through your own PHP script to filter the fields. Why wouldn't you filter the fields in your desktop application, rather than running through a PHP script? Just taking a look at the description of that item within the rest API, it does state what you can send there Quote The description as HTML (e.g. "<p>This is an file.</p>"). Will be sanatized for requests using an OAuth Access Token for a particular member; will be saved unaltered for requests made using an API Key or the Client Credentials Grant Type. Daniel F 1
Interferon Posted October 10 Author Posted October 10 10 hours ago, Marc said: Why wouldn't you filter the fields in your desktop application, rather than running through a PHP script? Just taking a look at the description of that item within the rest API, it does state what you can send there It's a security vulnerability. If they have access, the end user could create a program that makes calls to the API to insert HTML into pages.
Solution Ryan Ashbrook Posted October 10 Solution Posted October 10 Are you using OAuth Tokens or just a REST API key? If you are using OAuth, then yes you still need to submit HTML with the request, however it will be parsed and sanitized according to the users permissions to remove anything malicious (excluding those with HTML posting permission - which should be no one other than groups like Administrators). This is ideal for applications that end users submit to directly, like a Desktop app in your case. OAuth also limits requests based on a users permission, so even if they can submit files to the API, they can still only submit to categories they have permission to post to. If you're just using a REST API key, then it's assumed that the request is coming from a trusted source. This is for things only an administrator has complete control over (typically automated tasks). Interferon 1
Interferon Posted October 10 Author Posted October 10 Thank you for the information. I did not know that!
Recommended Posts