[pLog-svn] BlogNameValidator() cause Chinese blog name error!

Mark Wu markplace at gmail.com
Tue Sep 11 13:45:27 EDT 2007


Hi Jon:

Take a look the Wikipeida Zh version.  The chinese string  can encode to
UTF-8 like:

http://zh.wikipedia.org/w/index.php?title=%E4%B8%AD%E4%B8%96%E7%B4%80%E9%A3%
B2%E9%A3%9F%E6%96%87%E5%8C%96&variant=zh-tw

The browser will accept this. And both FF or IE accept this.

For me, I don't like it. That's why I siad "blog_slug" is a better solution
for this. :D

Agreed, we need to validate the input string. But I  really have no idea how
to validate a free form "string". 

And, even we use the domainize or urlize function to validate the blog name
at this moment, we still use the original blog name input by user  (only
with filter html) in our addBlogAction ...

So, If the SQL injection occurs in string validator, it happened in
blognamevalidator , too ...

Mark

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Wednesday, September 12, 2007 1:29 AM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] BlogNameValidator() cause Chinese 
> blog name error!
> 
>  	You said, "if you use UTF8, it would be fixed".  But 
> then you said that it would show %xx%yy - is that acceptable? 
>  Does it actually show those characters in the URL, or does 
> the browser/server change those back to "real" characters, 
> that look how you want?
> 
>  	We need validation on input, and string validator 
> doesn't count. 
> Can you write a validator that works for you, and doesn't 
> allow SQL injections?
> 
> On Wed, 12 Sep 2007, Mark Wu wrote:
> 
> > As you said, the issue is every where in lifetype when we 
> convert the 
> > string
> to a valid url, for example,  {xxxname}  in custom url. It is 
> a old problem.
> :(
> 
> That's why  most China/Taiwan user use {xxxid} instead of 
> {xxxname} in custom url
> 
> ** I raised this issue before, I said maybe we have to add 
> xx_slug for every object that need to urlized. But we all 
> agreed it is not a good idea to add xxx_slug to XX objects. :)
> 
> And, yes, the issue can be fixed, if we only use the utf8 ...
> 
> After we urlize the chinese sentense (encode the string to 
> utf8)  , the string will become %xx%yy%zz .
> 
> The  "%xx%yy%zz" can use in url path without any problem, but 
> not works in domain name ... That's another issue.
> 
> Therefore I said it can't be fixed. :(
> 
> Mark
> 
> > -----Original Message-----
> > From: plog-svn-bounces at devel.lifetype.net
> > [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> > Sent: Wednesday, September 12, 2007 12:51 AM
> > To: LifeType Developer List
> > Subject: Re: [pLog-svn] BlogNameValidator() cause Chinese blog name 
> > error!
> >
> >  	I understand that it returns an empty string, but the 
> problem isn't 
> > in the blognamevalidator, but in urlize and domainize, 
> which are used 
> > in other places in the code.  Don't you have issues elsewhere?
> > 
> > On Wed, 12 Sep 2007, Mark Wu wrote:
> > 
> > > Hi Jon:
> > 
> > Agreed.
> > 
> > But, I don't think it can be fixed if we use domainze() 
> function. It 
> > is because the  domainize() and urlize() will remove some invalid 
> > characters that not allowed in url.
> > 
> > Sometimes, the whole Chinese sentence after domainize() or 
> urlize will 
> > return empty string, or the same string as another 
> different Chinese 
> > sentence.
> > 
> > Take the Chinese sentence "台北教會" for example, It means "church in 
> > Taipei". After domainze(), it will return EMPTY string. So, 
> user can 
> > not create new blog .....
> > 
> > That's why I said I have to change it back to string 
> validator ONLY IF 
> > the blog admin does not enable subdomain or blogdomain.
> > 
> > Or the most Chinese user can not add new blog at this 
> moment , it is 
> > really not good.
> > 
> > ** The best way to solve this is add a blog_slug to blogInfo, it is 
> > different to blog name. It can avoid all this kind of problem.
> > 
> > Mark
> > 
> > > -----Original Message-----
> > > From: plog-svn-bounces at devel.lifetype.net
> > > [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of 
> Jon Daley
> > > Sent: Tuesday, September 11, 2007 9:24 PM
> > > To: LifeType Developer List
> > > Subject: Re: [pLog-svn] BlogNameValidator() cause Chinese 
> blog name 
> > > error!
> > >
> > >  	I don't think changing it to string validator is the
> > right answer,
> > > since we use urlize and domainize other places, so if they
> > are broken
> > > for chinese characters, they need to be fixed, otherwise, 
> you will 
> > > have issues in other places too.
> > >  	A string validator doesn't do anything, so we can't
> > count on that to
> > > actually validate the data.
> > > 
> > > On Tue, 11 Sep 2007, Mark Wu wrote:
> > > 
> > > > Hi Oscar & Jon:
> > > >
> > > > It seems the new BlogNameValidator will cause some error
> > when user
> > > > enter Chinese blog name.
> > > >
> > > > I am still checking on it, it seems the new
> > > Textfilter::domanize() or
> > > > Textfilter::urlize()  casue the error.
> > > >
> > > > If I can not fix this bug, I will change it back to string
> > > validator
> > > > if blog admin does not enable subdomain and blogdomain
> > function. It
> > > > can avoid this kind of problem.
> > > >
> > > > Mark
> > > >
> > > 
> > > --
> > > Jon Daley
> > > http://jon.limedaley.com/
> > > 
> > > The real world is
> > > a special case.
> > > -- Horngren's Observation
> > > _______________________________________________
> > > pLog-svn mailing list
> > > pLog-svn at devel.lifetype.net
> > > http://limedaley.com/mailman/listinfo/plog-svn
> > 
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> > 
> > --
> > Jon Daley
> > http://jon.limedaley.com/
> > 
> > Keep your face to the sunshine and you cannot see the shadow.
> > -- Helen Keller
> 
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
> 
> --
> Jon Daley
> http://jon.limedaley.com/
> 
> The secret to programming is not intelligence,
>    though of course that helps.
> It is not hard work or experience, though they help, too.
> The secret to programming is having smart friends.



More information about the pLog-svn mailing list