[pLog-svn] today's changes

Mark Wu markplace at gmail.com
Tue Jul 1 00:57:32 EDT 2008


Actually, I think only allow no-html text in cutom field should be enough.

If a plugin developer really need html in some where, he should create his
own DAO and use correct validator for it.

Mark

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Tuesday, July 01, 2008 3:06 AM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] today's changes
> 
>  	I have been thinking about the custom_field and 
> global_settings validation - what if we strip out all HTML 
> (except for the one setting that needs html 
> (allowed_html_tags)) but put a hidden configuration option so 
> people can disable that if they have been depending on it for 
> their custom fields?
> 
>  	And then in 2.0 we would add a validator to the "new 
> custom field" 
> creator, and the user can pick which validator is necessary - 
> and if he requires the ability to allow javascript in his 
> custom fields, well - then he is at risk, but there isn't 
> anyway to prevent that (outside of the previously talked 
> about XSS/CSRF/etc stuff).
> 
> 
> On Sat, 21 Jun 2008, Jon Daley wrote:
> 
> > 	I haven't tested the registration process.  Everything 
> else should be 
> > good.
> >
> > 	I am not planning on any more changes, except to check 
> the TODOs to 
> > see if we are going to do anything with them for 1.2.9.
> >
> > 	One important TODO is the globalsettings validation 
> (and probably 
> > other places like that).  Maybe we can just do a 
> > stringvalidator(false) to validate everything, except a 
> couple settings?
> >
> > 	I would be alright with leaving the customfield 
> validation until 
> > later - they are add-ons, custom done, (so harder to guess to 
> > exploit). It would be able to announce with the 1.2.9 "we 
> don't know 
> > of any security issues/exploits", which would mean fixing 
> the customfield validation now.
> >
> >
> >
> 
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> I never think of the future.  It comes soon enough.
> -- Albert Einstein
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn



More information about the pLog-svn mailing list