[pLog-svn] BlogNameValidator() cause Chinese blog name error!

Mark Wu markplace at gmail.com
Tue Sep 11 14:11:16 EDT 2007 

Just see this.

If we all agree, I will try to modify the code based on our discussion. :)

Mark 

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of 
> Oscar Renalias
> Sent: Wednesday, September 12, 2007 2:03 AM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] BlogNameValidator() cause Chinese 
> blog name error!
> 
> It's not just blog_slug. It's also category_slug, album_slug, 
> resource_slug, global_article_category_slug, 
> blog_category_slug, and so on.
> 
> The main reason for the BlogNameValidator class was to 
> prevent situations in where custom URLs or subdomain URLs 
> would end up with an empty blog slug, because the original 
> contained all HTML or incorrect characters. We can do so, as 
> suggested by Mark, that whenever subdomains and custom URLs 
> are disabled, we don't need to impose this restriction (and 
> the validator will always validate whatever is passed)
> 
> On 11 Sep 2007, at 20:56, Jon Daley wrote:
> 
> > 	Yes, I agree that looks ugly, and we should try to not 
> do that.  
> > Has someone (oscar) not liked the blog_slug - or is it just that 
> > requires new code, so it isn't a trivial add.
> > 	For validating - it isn't a "free form string", it is a 
> blog name, so 
> > [a-zA-Z] or whatever we do is good enough for English - is there a 
> > similar regexp you can add that covers chinese characters?  (Do we 
> > need to cover other languages too?)
> >
> > On Wed, 12 Sep 2007, Mark Wu wrote:
> >
> >> Hi Jon:
> >
> > Take a look the Wikipeida Zh version.  The chinese string  
> can encode 
> > to
> > UTF-8 like:
> >
> > http://zh.wikipedia.org/w/index.php?title=%E4%B8%AD%E4%B8%96%E7%B4%
> > 80%E9%A3%
> > B2%E9%A3%9F%E6%96%87%E5%8C%96&variant=zh-tw
> >
> > The browser will accept this. And both FF or IE accept this.
> >
> > For me, I don't like it. That's why I siad "blog_slug" is a better 
> > solution for this. :D
> >
> > Agreed, we need to validate the input string. But I  really have no 
> > idea how to validate a free form "string".
> >
> > And, even we use the domainize or urlize function to 
> validate the blog 
> > name
> > at this moment, we still use the original blog name input by user   
> > (only
> > with filter html) in our addBlogAction ...
> >
> > So, If the SQL injection occurs in string validator, it happened in 
> > blognamevalidator , too ...
> >
> > Mark
> >
> >> -----Original Message-----
> >> From: plog-svn-bounces at devel.lifetype.net [mailto:plog-svn- 
> >> bounces at devel.lifetype.net] On Behalf Of Jon Daley
> >> Sent: Wednesday, September 12, 2007 1:29 AM
> >> To: LifeType Developer List
> >> Subject: Re: [pLog-svn] BlogNameValidator() cause Chinese 
> blog name 
> >> error!
> >>
> >>  	You said, "if you use UTF8, it would be fixed".  But 
> then you said 
> >> that it would show %xx%yy - is that acceptable?
> >>  Does it actually show those characters in the URL, or does the 
> >> browser/server change those back to "real" characters, 
> that look how 
> >> you want?
> >>
> >>  	We need validation on input, and string validator 
> doesn't count.  
> >> Can you write a validator that works for you, and doesn't 
> allow SQL 
> >> injections?
> >> On Wed, 12 Sep 2007, Mark Wu wrote:
> >> > As you said, the issue is every where in lifetype when we
> >> convert the > string
> >> to a valid url, for example,  {xxxname}  in custom url. It 
> is a old 
> >> problem.
> >> :(
> >> That's why  most China/Taiwan user use {xxxid} instead of 
> {xxxname} 
> >> in custom url
> >> ** I raised this issue before, I said maybe we have to add xx_slug 
> >> for every object that need to urlized. But we all agreed 
> it is not a 
> >> good idea to add xxx_slug to XX objects. :) And, yes, the 
> issue can 
> >> be fixed, if we only use the utf8 ...
> >> After we urlize the chinese sentense (encode the string to
> >> utf8)  , the string will become %xx%yy%zz .
> >> The  "%xx%yy%zz" can use in url path without any problem, but not 
> >> works in domain name ... That's another issue.
> >> Therefore I said it can't be fixed. :( Mark
> >> > -----Original Message-----
> >> > From: plog-svn-bounces at devel.lifetype.net
> >> > [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf 
> Of Jon Daley
> >> > Sent: Wednesday, September 12, 2007 12:51 AM
> >> > To: LifeType Developer List
> >> > Subject: Re: [pLog-svn] BlogNameValidator() cause Chinese blog
> >> name > error!
> >> >
> >> >  	I understand that it returns an empty string, 
> but the problem
> >> isn't > in the blognamevalidator, but in urlize and 
> domainize, which 
> >> are used > in other places in the code.  Don't you have issues 
> >> elsewhere?
> >> > > On Wed, 12 Sep 2007, Mark Wu wrote:
> >> > > > Hi Jon:
> >> > > Agreed.
> >> > > But, I don't think it can be fixed if we use domainze()
> >> function. It > is because the  domainize() and urlize() 
> will remove 
> >> some invalid > characters that not allowed in url.
> >> > > Sometimes, the whole Chinese sentence after domainize() or
> >> urlize will > return empty string, or the same string as another 
> >> different Chinese > sentence.
> >> > > Take the Chinese sentence "台北教會" for example, It means
> >> "church in > Taipei". After domainze(), it will return 
> EMPTY string. 
> >> So, user can > not create new blog .....
> >> > > That's why I said I have to change it back to string validator
> >> ONLY IF > the blog admin does not enable subdomain or blogdomain.
> >> > > Or the most Chinese user can not add new blog at this moment ,
> >> it is > really not good.
> >> > > ** The best way to solve this is add a blog_slug to blogInfo,
> >> it is > different to blog name. It can avoid all this kind of 
> >> problem.
> >> > > Mark
> >> > > > -----Original Message-----
> >> > > From: plog-svn-bounces at devel.lifetype.net
> >> > > [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon
> >> Daley
> >> > > Sent: Tuesday, September 11, 2007 9:24 PM
> >> > > To: LifeType Developer List
> >> > > Subject: Re: [pLog-svn] BlogNameValidator() cause Chinese blog
> >> name > > error!
> >> > >
> >> > >  	I don't think changing it to string validator is the
> >> > right answer,
> >> > > since we use urlize and domainize other places, so if they
> >> > are broken
> >> > > for chinese characters, they need to be fixed, otherwise, you
> >> will > > have issues in other places too.
> >> > >  	A string validator doesn't do anything, so we can't
> >> > count on that to
> >> > > actually validate the data.
> >> > > > > On Tue, 11 Sep 2007, Mark Wu wrote:
> >> > > > > > Hi Oscar & Jon:
> >> > > >
> >> > > > It seems the new BlogNameValidator will cause some error
> >> > when user
> >> > > > enter Chinese blog name.
> >> > > >
> >> > > > I am still checking on it, it seems the new
> >> > > Textfilter::domanize() or
> >> > > > Textfilter::urlize()  casue the error.
> >> > > >
> >> > > > If I can not fix this bug, I will change it back to string
> >> > > validator
> >> > > > if blog admin does not enable subdomain and blogdomain
> >> > function. It
> >> > > > can avoid this kind of problem.
> >> > > >
> >> > > > Mark
> >> > > >
> >> > > > > --
> >> > > Jon Daley
> >> > > http://jon.limedaley.com/
> >> > > > > The real world is
> >> > > a special case.
> >> > > -- Horngren's Observation
> >> > > _______________________________________________
> >> > > pLog-svn mailing list
> >> > > pLog-svn at devel.lifetype.net
> >> > > http://limedaley.com/mailman/listinfo/plog-svn
> >> > > _______________________________________________
> >> > pLog-svn mailing list
> >> > pLog-svn at devel.lifetype.net
> >> > http://limedaley.com/mailman/listinfo/plog-svn
> >> > > --
> >> > Jon Daley
> >> > http://jon.limedaley.com/
> >> > > Keep your face to the sunshine and you cannot see the shadow.
> >> > -- Helen Keller
> >> _______________________________________________
> >> pLog-svn mailing list
> >> pLog-svn at devel.lifetype.net
> >> http://limedaley.com/mailman/listinfo/plog-svn
> >> --
> >> Jon Daley
> >> http://jon.limedaley.com/
> >> The secret to programming is not intelligence,
> >>    though of course that helps.
> >> It is not hard work or experience, though they help, too.
> >> The secret to programming is having smart friends.
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> >
> > --
> > Jon Daley
> > http://jon.limedaley.com/
> >
> > Use of excessive, unnecessary, commas, has always been,
> >   one of my, pet
> > peeves._______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> 
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn

More information about the pLog-svn mailing list