[pLog-svn] r2462 - plog/branches/plog-1.0.2/templates/summary

Mark Wu markplace at gmail.com
Mon Sep 12 14:44:31 GMT 2005 

That's why I suggest only add to /class/action/addcommentaction.class.php

$this->_commentTopic =
trim(Textfilter::filterAllHTML($this->_request->getValue( "commentTopic"
)));

And revert the SVN rev 2461 and 2461. 

Because according current 1.0.2 code base, user has no way to add html tag
to postTopic, postSlug and commentTopic ..

IMHO, If there still something wrong after 1.0.2 release, then we can know
the bug is come from the "incomplete" filterAllHTML() function, and we can
have chance to improve it. :D

Mark

> -----Original Message-----
> From: plog-svn-bounces at devel.plogworld.net 
> [mailto:plog-svn-bounces at devel.plogworld.net] On Behalf Of Jon Daley
> Sent: Monday, September 12, 2005 10:33 PM
> To: plog-svn at devel.plogworld.net
> Subject: RE: [pLog-svn] r2462 - 
> plog/branches/plog-1.0.2/templates/summary
> 
>  	Hrm.  I guess it is because people are still using 
> 1.0.1, I see how they are stripped out now.  I thought I 
> tested this before I checked the code in.  Certainly the 
> comments still have that problem.
>  	I would argue against filtering out all html on posts 
> (I have used html inside the post title before, and it is 
> nice to have that option). 
> If a blog poster wants to mess up his own blog, that is fine, 
> that is why I think we just need to filter the html in the 
> summary and admin side, rather than everywhere.
>  	But, I don't care about this a lot - I guess we will 
> see if anyone else does when 1.0.2 is released.
> 
> On Mon, 12 Sep 2005, Mark Wu wrote:
> > Hi Jon:
> >
> > Kindly take a look at _fetchCommonData()  in 
> > /class/action/adminpostmanagementcommonaction.class.php , 
> we already 
> > filter the thml before we save it.. :D
> >
> > $this->_postTopic    =
> > 
> trim(Textfilter::xhtmlize(Textfilter::filterAllHTML($this->_request->g
> > etValu
> > e( "postTopic" ))));
> >
> > Mark
> >
> >> -----Original Message-----
> >> From: plog-svn-bounces at devel.plogworld.net
> >> [mailto:plog-svn-bounces at devel.plogworld.net] On Behalf Of 
> Jon Daley
> >> Sent: Monday, September 12, 2005 9:24 PM
> >> To: plog-svn at devel.plogworld.net
> >> Subject: RE: [pLog-svn] r2462 -
> >> plog/branches/plog-1.0.2/templates/summary
> >>
> >>  	Are you sure?  I don't think so.
> >>
> >> On Mon, 12 Sep 2005, Mark Wu wrote:
> >>> Hi Jon:
> >>>
> >>> Sorry forget to metioned another thing, we already filter 
> postTopic 
> >>> html tag in 1.0.2... Therefore, I think we don't need to
> >> strip them in summary again.
> >>>
> >>> Mark
> >>>
> >>>> -----Original Message-----
> >>>> From: Mark Wu [mailto:markplace at gmail.com]
> >>>> Sent: Sunday, September 11, 2005 11:11 PM
> >>>> To: 'plog-svn at devel.plogworld.net'
> >>>> Subject: RE: [pLog-svn] r2462 -
> >>>> plog/branches/plog-1.0.2/templates/summary
> >>>>
> >>>> Hi Jon:
> >>>>
> >>>> I just think if we "have to" strip tags for comment topic,
> >> why don't
> >>>> we just remove it before we save the comments?
> >>>>
> >>>> How do you think?
> >>>>
> >>>> Mark
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: plog-svn-bounces at devel.plogworld.net
> >>>>> [mailto:plog-svn-bounces at devel.plogworld.net] On Behalf Of 
> >>>>> jondaley at devel.plogworld.net
> >>>>> Sent: Sunday, September 11, 2005 7:32 PM
> >>>>> To: plog-svn at devel.plogworld.net
> >>>>> Subject: [pLog-svn] r2462 -
> >>>> plog/branches/plog-1.0.2/templates/summary
> >>>>>
> >>>>> Author: jondaley
> >>>>> Date: 2005-09-11 11:32:08 +0000 (Sun, 11 Sep 2005) New
> >>>> Revision: 2462
> >>>>>
> >>>>> Modified:
> >>>>>    plog/branches/plog-1.0.2/templates/summary/post.template
> >>>>>    plog/branches/plog-1.0.2/templates/summary/summary.template
> >>>>> Log:
> >>>>> remove html tags from comment Topic, in all cases.  Remove
> >>>> html from
> >>>>> postTopic, in admin interface.  This doesn't entirely solve the 
> >>>>> problem, because if users want to allow <a
> >>>> href=blah>...</a> in their
> >>>>> comments (and plog does that by
> >>>>> default) then the user is also allowed to have the iframe
> >> attribute
> >>>>> tag stuff.  A fair amount of discussion on the strip_tags
> >>>> section of
> >>>>> php.net
> >>>>>
> >>>>> Modified: 
> plog/branches/plog-1.0.2/templates/summary/post.template
> >>>>>
> >> ===================================================================
> >>>>> --- plog/branches/plog-1.0.2/templates/summary/post.template
> >>>>> 2005-09-11 11:04:03 UTC (rev 2461)
> >>>>> +++ plog/branches/plog-1.0.2/templates/summary/post.template
> >>>>> 2005-09-11 11:32:08 UTC (rev 2462) @@ -1,6 +1,6 @@
> >>>>>      {assign var="blog" value=$post->getBlogInfo()}
> >>>>>  	{assign var="request" 
> value=$blog->getBlogRequestGenerator()}
> >>>>> -    <h5>{$post->getTopic()}</h5>
> >>>>> +    <h5>{$post->getTopic()|strip_tags}</h5>
> >>>>>      <div class="subtitle">
> >>>>>          {$locale->tr("blog")} <a
> >>>>> href="{$request->blogLink()}">{$blog->getBlog()}</a>
> >>>>>      </div>
> >>>>> @@ -19,4 +19,4 @@
> >>>>>          <img src="imgs/comment.png" width="11" height="10"
> >>>>> alt="{$locale->tr("comments")}" />&nbsp;
> >>>>>          <a
> >>>>> href="{$request->postPermalink($post)}#comments">{if
> >>>>> $post->getTotalComments() eq 0}{$locale->tr("comment on 
> >>>>> this")}{else}{$post->getTotalComments()}
> >>>>> {$locale->tr("comments")|capitalize}{/if}</a>
> >>>>>          <br style="clear: both;" />
> >>>>> -    </div>
> >>>>> \ No newline at end of file
> >>>>> +    </div>
> >>>>>
> >>>>> Modified:
> >>>> plog/branches/plog-1.0.2/templates/summary/summary.template
> >>>>>
> >> ===================================================================
> >>>>> ---
> >>>>> plog/branches/plog-1.0.2/templates/summary/summary.template
> >>>>> 2005-09-11 11:04:03 UTC (rev 2461)
> >>>>> +++
> >>>>> plog/branches/plog-1.0.2/templates/summary/summary.template
> >>>>> 2005-09-11 11:32:08 UTC (rev 2462) @@ -1,6 +1,6 @@  {include 
> >>>>> file="summary/header.template"}
> >>>>>   {foreach from=$posts item=post}
> >>>>> -   <h3>{$post->getTopic()}</h3>
> >>>>> +   <h3>{$post->getTopic()|strip_tags}</h3>
> >>>>>  {assign var="postDate" value=$post->getDateObject()} {assign 
> >>>>> var="postOwner" value=$post->getUserInfo()}  <span 
> >>>>> class="date">{$postOwner->getUsername()} | 
> >>>>> {$locale->formatDate($postDate,"%d %B, %Y %H:%M")}</span>
> >>>>>
> >>>>> _______________________________________________
> >>>>> pLog-svn mailing list
> >>>>> pLog-svn at devel.plogworld.net
> >>>>> http://devel.plogworld.net/mailman/listinfo/plog-svn
> >>>
> >>> _______________________________________________
> >>> pLog-svn mailing list
> >>> pLog-svn at devel.plogworld.net
> >>> http://devel.plogworld.net/mailman/listinfo/plog-svn
> >>>
> >>
> >> **************************************
> >> Jon Daley
> >> http://jon.limedaley.com/plog/
> >>
> >> Quoting: the act of repeating erroneously the words of another.
> >> -- Ambrose Bierce
> >> _______________________________________________
> >> pLog-svn mailing list
> >> pLog-svn at devel.plogworld.net
> >> http://devel.plogworld.net/mailman/listinfo/plog-svn
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.plogworld.net
> > http://devel.plogworld.net/mailman/listinfo/plog-svn
> >
> 
> **************************************
> Jon Daley
> http://jon.limedaley.com/plog/
> 
> You've got a smarter IQ than I do,
>    so that means you're freakin' brilliant.
> -- Janet Wightman
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.plogworld.net
> http://devel.plogworld.net/mailman/listinfo/plog-svn

More information about the pLog-svn mailing list