[pLog-svn] r2462 - plog/branches/plog-1.0.2/templates/summary
Mark Wu
markplace at gmail.com
Mon Sep 12 13:43:28 GMT 2005
I remember we fixed this when someone metioned in forum that there might be
XSS attack in pLog ... :D
Mark
> -----Original Message-----
> From: Mark Wu [mailto:markplace at gmail.com]
> Sent: Monday, September 12, 2005 9:41 PM
> To: 'plog-svn at devel.plogworld.net'
> Subject: RE: [pLog-svn] r2462 -
> plog/branches/plog-1.0.2/templates/summary
>
> Hi Jon:
>
> Kindly take a look at _fetchCommonData() in
> /class/action/adminpostmanagementcommonaction.class.php , we
> already filter the thml before we save it.. :D
>
> $this->_postTopic =
> trim(Textfilter::xhtmlize(Textfilter::filterAllHTML($this->_re
> quest->getValue( "postTopic" ))));
>
> Mark
>
> > -----Original Message-----
> > From: plog-svn-bounces at devel.plogworld.net
> > [mailto:plog-svn-bounces at devel.plogworld.net] On Behalf Of Jon Daley
> > Sent: Monday, September 12, 2005 9:24 PM
> > To: plog-svn at devel.plogworld.net
> > Subject: RE: [pLog-svn] r2462 -
> > plog/branches/plog-1.0.2/templates/summary
> >
> > Are you sure? I don't think so.
> >
> > On Mon, 12 Sep 2005, Mark Wu wrote:
> > > Hi Jon:
> > >
> > > Sorry forget to metioned another thing, we already filter
> postTopic
> > > html tag in 1.0.2... Therefore, I think we don't need to
> > strip them in summary again.
> > >
> > > Mark
> > >
> > >> -----Original Message-----
> > >> From: Mark Wu [mailto:markplace at gmail.com]
> > >> Sent: Sunday, September 11, 2005 11:11 PM
> > >> To: 'plog-svn at devel.plogworld.net'
> > >> Subject: RE: [pLog-svn] r2462 -
> > >> plog/branches/plog-1.0.2/templates/summary
> > >>
> > >> Hi Jon:
> > >>
> > >> I just think if we "have to" strip tags for comment topic,
> > why don't
> > >> we just remove it before we save the comments?
> > >>
> > >> How do you think?
> > >>
> > >> Mark
> > >>
> > >>> -----Original Message-----
> > >>> From: plog-svn-bounces at devel.plogworld.net
> > >>> [mailto:plog-svn-bounces at devel.plogworld.net] On Behalf Of
> > >>> jondaley at devel.plogworld.net
> > >>> Sent: Sunday, September 11, 2005 7:32 PM
> > >>> To: plog-svn at devel.plogworld.net
> > >>> Subject: [pLog-svn] r2462 -
> > >> plog/branches/plog-1.0.2/templates/summary
> > >>>
> > >>> Author: jondaley
> > >>> Date: 2005-09-11 11:32:08 +0000 (Sun, 11 Sep 2005) New
> > >> Revision: 2462
> > >>>
> > >>> Modified:
> > >>> plog/branches/plog-1.0.2/templates/summary/post.template
> > >>> plog/branches/plog-1.0.2/templates/summary/summary.template
> > >>> Log:
> > >>> remove html tags from comment Topic, in all cases. Remove
> > >> html from
> > >>> postTopic, in admin interface. This doesn't entirely solve the
> > >>> problem, because if users want to allow <a
> > >> href=blah>...</a> in their
> > >>> comments (and plog does that by
> > >>> default) then the user is also allowed to have the iframe
> > attribute
> > >>> tag stuff. A fair amount of discussion on the strip_tags
> > >> section of
> > >>> php.net
> > >>>
> > >>> Modified:
> plog/branches/plog-1.0.2/templates/summary/post.template
> > >>>
> > ===================================================================
> > >>> --- plog/branches/plog-1.0.2/templates/summary/post.template
> > >>> 2005-09-11 11:04:03 UTC (rev 2461)
> > >>> +++ plog/branches/plog-1.0.2/templates/summary/post.template
> > >>> 2005-09-11 11:32:08 UTC (rev 2462) @@ -1,6 +1,6 @@
> > >>> {assign var="blog" value=$post->getBlogInfo()}
> > >>> {assign var="request"
> value=$blog->getBlogRequestGenerator()}
> > >>> - <h5>{$post->getTopic()}</h5>
> > >>> + <h5>{$post->getTopic()|strip_tags}</h5>
> > >>> <div class="subtitle">
> > >>> {$locale->tr("blog")} <a
> > >>> href="{$request->blogLink()}">{$blog->getBlog()}</a>
> > >>> </div>
> > >>> @@ -19,4 +19,4 @@
> > >>> <img src="imgs/comment.png" width="11" height="10"
> > >>> alt="{$locale->tr("comments")}" />
> > >>> <a
> > >>> href="{$request->postPermalink($post)}#comments">{if
> > >>> $post->getTotalComments() eq 0}{$locale->tr("comment on
> > >>> this")}{else}{$post->getTotalComments()}
> > >>> {$locale->tr("comments")|capitalize}{/if}</a>
> > >>> <br style="clear: both;" />
> > >>> - </div>
> > >>> \ No newline at end of file
> > >>> + </div>
> > >>>
> > >>> Modified:
> > >> plog/branches/plog-1.0.2/templates/summary/summary.template
> > >>>
> > ===================================================================
> > >>> ---
> > >>> plog/branches/plog-1.0.2/templates/summary/summary.template
> > >>> 2005-09-11 11:04:03 UTC (rev 2461)
> > >>> +++
> > >>> plog/branches/plog-1.0.2/templates/summary/summary.template
> > >>> 2005-09-11 11:32:08 UTC (rev 2462) @@ -1,6 +1,6 @@ {include
> > >>> file="summary/header.template"}
> > >>> {foreach from=$posts item=post}
> > >>> - <h3>{$post->getTopic()}</h3>
> > >>> + <h3>{$post->getTopic()|strip_tags}</h3>
> > >>> {assign var="postDate" value=$post->getDateObject()} {assign
> > >>> var="postOwner" value=$post->getUserInfo()} <span
> > >>> class="date">{$postOwner->getUsername()} |
> > >>> {$locale->formatDate($postDate,"%d %B, %Y %H:%M")}</span>
> > >>>
> > >>> _______________________________________________
> > >>> pLog-svn mailing list
> > >>> pLog-svn at devel.plogworld.net
> > >>> http://devel.plogworld.net/mailman/listinfo/plog-svn
> > >
> > > _______________________________________________
> > > pLog-svn mailing list
> > > pLog-svn at devel.plogworld.net
> > > http://devel.plogworld.net/mailman/listinfo/plog-svn
> > >
> >
> > **************************************
> > Jon Daley
> > http://jon.limedaley.com/plog/
> >
> > Quoting: the act of repeating erroneously the words of another.
> > -- Ambrose Bierce
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.plogworld.net
> > http://devel.plogworld.net/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list