[pLog-svn] today's changes
Mark Wu
markplace at gmail.com
Tue Jul 1 00:57:32 EDT 2008
Actually, I think only allow no-html text in cutom field should be enough.
If a plugin developer really need html in some where, he should create his
own DAO and use correct validator for it.
Mark
> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Tuesday, July 01, 2008 3:06 AM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] today's changes
>
> I have been thinking about the custom_field and
> global_settings validation - what if we strip out all HTML
> (except for the one setting that needs html
> (allowed_html_tags)) but put a hidden configuration option so
> people can disable that if they have been depending on it for
> their custom fields?
>
> And then in 2.0 we would add a validator to the "new
> custom field"
> creator, and the user can pick which validator is necessary -
> and if he requires the ability to allow javascript in his
> custom fields, well - then he is at risk, but there isn't
> anyway to prevent that (outside of the previously talked
> about XSS/CSRF/etc stuff).
>
>
> On Sat, 21 Jun 2008, Jon Daley wrote:
>
> > I haven't tested the registration process. Everything
> else should be
> > good.
> >
> > I am not planning on any more changes, except to check
> the TODOs to
> > see if we are going to do anything with them for 1.2.9.
> >
> > One important TODO is the globalsettings validation
> (and probably
> > other places like that). Maybe we can just do a
> > stringvalidator(false) to validate everything, except a
> couple settings?
> >
> > I would be alright with leaving the customfield
> validation until
> > later - they are add-ons, custom done, (so harder to guess to
> > exploit). It would be able to announce with the 1.2.9 "we
> don't know
> > of any security issues/exploits", which would mean fixing
> the customfield validation now.
> >
> >
> >
>
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> I never think of the future. It comes soon enough.
> -- Albert Einstein
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list