Broaden scope of PHPIDS

Clarify that PHPIDS is not just about inputs which are saved to the database, but actually all inputs (e.g. GET params) even ones that aren't saved to the DB.

Broaden scope of PHPIDS
a40e1a61 · Sean Madsen · b65cc4d4 · a40e1a61
Commit a40e1a61 authored 7 years ago by Sean Madsen
--- a/docs/security/inputs.md
+++ b/docs/security/inputs.md
@@ -50,6 +50,6 @@ Note that `CRM_Utils_API_HTMLInputCoder::encodeInput()` only encodes `<` and `>`

 When accepting untrusted data with rich text (uncommon), pass the data through `CRM_Utils_String::purifyHTML` to remove XSS.

-### PHPIDS
+## PHPIDS

-CiviCRM Implements the PHP Intrusion Detection System to assist in preventing harmful content being saved into the database. The PHPIDS system is triggered on all fields. There are standard suite of fields that are excluded and they can be found in the `CRM_Core_IDS` class. The PHPIDS system scans the submitted content and returns a numerical value as to how dangerous the submitted content is from 0  - 100. Three type of actions can be taken based on the numerical score. Either the content is not saved and a message is given out to the user saying there is suspect content which is known as kick. The next action down is just to present a warning to the user. This indicates to the user that there may be some XSS in the content but the context gets saved to the database. The next step down is that the report is logged in the CiviCRM logs and no message is displayed to the user. The PHPIDS is implemented in a bid to assist in preventing XSS, sqli and other dangerous code being saved in the database. More information on PHPIDS can be found in the [documentation](https://github.com/PHPIDS/PHPIDS). Developers are able to alter the list of Exceptions through [hook_civicrm_idsException](/hooks/hook_civicrm_idsException.md). Fields can also be altered through the Menu hooks [hook_civicrm_xmlMenu](/hooks/hook_civicrm_xmlMenu.md#xml-ids) and [hook_civicrm_alterMenu](/hooks/hook_civicrm_alterMenu.md]).
+CiviCRM Implements the PHP Intrusion Detection System to automatically assist in preventing harmful inputs. The PHPIDS system is triggered on all fields. There are standard suite of fields that are excluded and they can be found in the `CRM_Core_IDS` class. The PHPIDS system scans the submitted content and returns a numerical value as to how dangerous the submitted content is from 0  - 100. Three type of actions can be taken based on the numerical score. Either the content is not saved and a message is given out to the user saying there is suspect content which is known as kick. The next action down is just to present a warning to the user. This indicates to the user that there may be some XSS in the content but the context gets saved to the database. The next step down is that the report is logged in the CiviCRM logs and no message is displayed to the user. The PHPIDS is implemented in a bid to assist in preventing XSS, sqli and other dangerous code being saved in the database. More information on PHPIDS can be found in the [documentation](https://github.com/PHPIDS/PHPIDS). Developers are able to alter the list of Exceptions through [hook_civicrm_idsException](/hooks/hook_civicrm_idsException.md). Fields can also be altered through the Menu hooks [hook_civicrm_xmlMenu](/hooks/hook_civicrm_xmlMenu.md#xml-ids) and [hook_civicrm_alterMenu](/hooks/hook_civicrm_alterMenu.md]).