diff options
Diffstat (limited to 'doc/source/features.rst')
| -rw-r--r-- | doc/source/features.rst | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/source/features.rst b/doc/source/features.rst index afe139a..8ecf57d 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst | |||
| @@ -321,6 +321,19 @@ Snuffleupagus can prevent the execution of this kind of file. A good practice | |||
| 321 | would be to use a different user to run PHP than for administrating the website, | 321 | would be to use a different user to run PHP than for administrating the website, |
| 322 | and using this feature to lock this up. | 322 | and using this feature to lock this up. |
| 323 | 323 | ||
| 324 | .. _eval-feature: | ||
| 325 | |||
| 326 | White and blacklist in ``eval`` | ||
| 327 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
| 328 | |||
| 329 | While `eval <https://secure.php.net/manual/en/function.eval.php>`__ is a | ||
| 330 | dangerous primitive, tricky to use right, with almost no legitimate usage | ||
| 331 | besides templating and building mathematical expressions based on user input, | ||
| 332 | it's broadly (mis)used all around the web. | ||
| 333 | |||
| 334 | Snuffleupagus provides a white and blacklist mechanism, to explicitly allow | ||
| 335 | and forbid specific functions call from being issued inside ``eval``. | ||
| 336 | |||
| 324 | 337 | ||
| 325 | Protection against cross site request forgery | 338 | Protection against cross site request forgery |
| 326 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | 339 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |