[pLog-svn] r2462 - plog/branches/plog-1.0.2/templates/summary

Mark Wu markplace at gmail.com
Mon Sep 12 13:43:28 GMT 2005


I remember we fixed this when someone metioned in forum that there might be
XSS attack in pLog  ... :D

Mark

> -----Original Message-----
> From: Mark Wu [mailto:markplace at gmail.com] 
> Sent: Monday, September 12, 2005 9:41 PM
> To: 'plog-svn at devel.plogworld.net'
> Subject: RE: [pLog-svn] r2462 - 
> plog/branches/plog-1.0.2/templates/summary
> 
> Hi Jon:
> 
> Kindly take a look at _fetchCommonData()  in 
> /class/action/adminpostmanagementcommonaction.class.php , we 
> already filter the thml before we save it.. :D
> 
> $this->_postTopic    = 
> trim(Textfilter::xhtmlize(Textfilter::filterAllHTML($this->_re
> quest->getValue( "postTopic" ))));
> 
> Mark
> 
> > -----Original Message-----
> > From: plog-svn-bounces at devel.plogworld.net
> > [mailto:plog-svn-bounces at devel.plogworld.net] On Behalf Of Jon Daley
> > Sent: Monday, September 12, 2005 9:24 PM
> > To: plog-svn at devel.plogworld.net
> > Subject: RE: [pLog-svn] r2462 -
> > plog/branches/plog-1.0.2/templates/summary
> > 
> >  	Are you sure?  I don't think so.
> > 
> > On Mon, 12 Sep 2005, Mark Wu wrote:
> > > Hi Jon:
> > >
> > > Sorry forget to metioned another thing, we already filter 
> postTopic 
> > > html tag in 1.0.2... Therefore, I think we don't need to
> > strip them in summary again.
> > >
> > > Mark
> > >
> > >> -----Original Message-----
> > >> From: Mark Wu [mailto:markplace at gmail.com]
> > >> Sent: Sunday, September 11, 2005 11:11 PM
> > >> To: 'plog-svn at devel.plogworld.net'
> > >> Subject: RE: [pLog-svn] r2462 -
> > >> plog/branches/plog-1.0.2/templates/summary
> > >>
> > >> Hi Jon:
> > >>
> > >> I just think if we "have to" strip tags for comment topic,
> > why don't
> > >> we just remove it before we save the comments?
> > >>
> > >> How do you think?
> > >>
> > >> Mark
> > >>
> > >>> -----Original Message-----
> > >>> From: plog-svn-bounces at devel.plogworld.net
> > >>> [mailto:plog-svn-bounces at devel.plogworld.net] On Behalf Of 
> > >>> jondaley at devel.plogworld.net
> > >>> Sent: Sunday, September 11, 2005 7:32 PM
> > >>> To: plog-svn at devel.plogworld.net
> > >>> Subject: [pLog-svn] r2462 -
> > >> plog/branches/plog-1.0.2/templates/summary
> > >>>
> > >>> Author: jondaley
> > >>> Date: 2005-09-11 11:32:08 +0000 (Sun, 11 Sep 2005) New
> > >> Revision: 2462
> > >>>
> > >>> Modified:
> > >>>    plog/branches/plog-1.0.2/templates/summary/post.template
> > >>>    plog/branches/plog-1.0.2/templates/summary/summary.template
> > >>> Log:
> > >>> remove html tags from comment Topic, in all cases.  Remove
> > >> html from
> > >>> postTopic, in admin interface.  This doesn't entirely solve the 
> > >>> problem, because if users want to allow <a
> > >> href=blah>...</a> in their
> > >>> comments (and plog does that by
> > >>> default) then the user is also allowed to have the iframe
> > attribute
> > >>> tag stuff.  A fair amount of discussion on the strip_tags
> > >> section of
> > >>> php.net
> > >>>
> > >>> Modified: 
> plog/branches/plog-1.0.2/templates/summary/post.template
> > >>> 
> > ===================================================================
> > >>> --- plog/branches/plog-1.0.2/templates/summary/post.template
> > >>> 2005-09-11 11:04:03 UTC (rev 2461)
> > >>> +++ plog/branches/plog-1.0.2/templates/summary/post.template
> > >>> 2005-09-11 11:32:08 UTC (rev 2462) @@ -1,6 +1,6 @@
> > >>>      {assign var="blog" value=$post->getBlogInfo()}
> > >>>  	{assign var="request" 
> value=$blog->getBlogRequestGenerator()}
> > >>> -    <h5>{$post->getTopic()}</h5>
> > >>> +    <h5>{$post->getTopic()|strip_tags}</h5>
> > >>>      <div class="subtitle">
> > >>>          {$locale->tr("blog")} <a
> > >>> href="{$request->blogLink()}">{$blog->getBlog()}</a>
> > >>>      </div>
> > >>> @@ -19,4 +19,4 @@
> > >>>          <img src="imgs/comment.png" width="11" height="10"
> > >>> alt="{$locale->tr("comments")}" />&nbsp;
> > >>>          <a
> > >>> href="{$request->postPermalink($post)}#comments">{if
> > >>> $post->getTotalComments() eq 0}{$locale->tr("comment on 
> > >>> this")}{else}{$post->getTotalComments()}
> > >>> {$locale->tr("comments")|capitalize}{/if}</a>
> > >>>          <br style="clear: both;" />
> > >>> -    </div>
> > >>> \ No newline at end of file
> > >>> +    </div>
> > >>>
> > >>> Modified:
> > >> plog/branches/plog-1.0.2/templates/summary/summary.template
> > >>> 
> > ===================================================================
> > >>> ---
> > >>> plog/branches/plog-1.0.2/templates/summary/summary.template
> > >>> 2005-09-11 11:04:03 UTC (rev 2461)
> > >>> +++
> > >>> plog/branches/plog-1.0.2/templates/summary/summary.template
> > >>> 2005-09-11 11:32:08 UTC (rev 2462) @@ -1,6 +1,6 @@  {include 
> > >>> file="summary/header.template"}
> > >>>   {foreach from=$posts item=post}
> > >>> -   <h3>{$post->getTopic()}</h3>
> > >>> +   <h3>{$post->getTopic()|strip_tags}</h3>
> > >>>  {assign var="postDate" value=$post->getDateObject()} {assign 
> > >>> var="postOwner" value=$post->getUserInfo()}  <span 
> > >>> class="date">{$postOwner->getUsername()} | 
> > >>> {$locale->formatDate($postDate,"%d %B, %Y %H:%M")}</span>
> > >>>
> > >>> _______________________________________________
> > >>> pLog-svn mailing list
> > >>> pLog-svn at devel.plogworld.net
> > >>> http://devel.plogworld.net/mailman/listinfo/plog-svn
> > >
> > > _______________________________________________
> > > pLog-svn mailing list
> > > pLog-svn at devel.plogworld.net
> > > http://devel.plogworld.net/mailman/listinfo/plog-svn
> > >
> > 
> > **************************************
> > Jon Daley
> > http://jon.limedaley.com/plog/
> > 
> > Quoting: the act of repeating erroneously the words of another.
> > -- Ambrose Bierce
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.plogworld.net
> > http://devel.plogworld.net/mailman/listinfo/plog-svn




More information about the pLog-svn mailing list