[pLog-svn] today's changes

Jon Daley plogworld at jon.limedaley.com
Tue Jul 1 08:38:15 EDT 2008 

 	I am not quite sure what you are saying - that we don't need a 
configuration option?  Is there a way for a plugin to bypass our 
validation, if we are stripping out all HTML?  It also seems like someone 
might be using a custom field without a plugin, ie. not a developer, and 
so wouldn't be able to write their own code?
 	I don't really know - I have only used custom fields to test 
reported bugs.  I was just worried about breaking something, and then have 
people not wanting to upgrade to 1.2.9 since things broke.  I'd expect 
most people to not care about the custom field validation change, but 
maybe someone does?

On Tue, 1 Jul 2008, Mark Wu wrote:

> Actually, I think only allow no-html text in cutom field should be enough.
>
> If a plugin developer really need html in some where, he should create his
> own DAO and use correct validator for it.
>
> Mark
>
>> -----Original Message-----
>> From: plog-svn-bounces at devel.lifetype.net
>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>> Sent: Tuesday, July 01, 2008 3:06 AM
>> To: LifeType Developer List
>> Subject: Re: [pLog-svn] today's changes
>>
>>  	I have been thinking about the custom_field and
>> global_settings validation - what if we strip out all HTML
>> (except for the one setting that needs html
>> (allowed_html_tags)) but put a hidden configuration option so
>> people can disable that if they have been depending on it for
>> their custom fields?
>>
>>  	And then in 2.0 we would add a validator to the "new
>> custom field"
>> creator, and the user can pick which validator is necessary -
>> and if he requires the ability to allow javascript in his
>> custom fields, well - then he is at risk, but there isn't
>> anyway to prevent that (outside of the previously talked
>> about XSS/CSRF/etc stuff).
>>
>>
>> On Sat, 21 Jun 2008, Jon Daley wrote:
>>
>>> 	I haven't tested the registration process.  Everything
>> else should be
>>> good.
>>>
>>> 	I am not planning on any more changes, except to check
>> the TODOs to
>>> see if we are going to do anything with them for 1.2.9.
>>>
>>> 	One important TODO is the globalsettings validation
>> (and probably
>>> other places like that).  Maybe we can just do a
>>> stringvalidator(false) to validate everything, except a
>> couple settings?
>>>
>>> 	I would be alright with leaving the customfield
>> validation until
>>> later - they are add-ons, custom done, (so harder to guess to
>>> exploit). It would be able to announce with the 1.2.9 "we
>> don't know
>>> of any security issues/exploits", which would mean fixing
>> the customfield validation now.
>>>
>>>
>>>
>>
>> --
>> Jon Daley
>> http://jon.limedaley.com
>> ~~
>> I never think of the future.  It comes soon enough.
>> -- Albert Einstein
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com
~~
A man never stands as tall as when he kneels to help a child.
-- Knights of Pythagoras

More information about the pLog-svn mailing list