[pLog-svn] today's changes

Mark Wu markplace at gmail.com
Tue Jul 1 08:51:38 EDT 2008 

Yes, but I want to keep the custom field simple. We only allowed non-html
content in it.

If plugin developer like to allow his plugin in custom field, then we just
tell them "it is impossible to allow html in custom field".

We can ask them create a new table for this purpose.

That's why I said it is easier for us.

Mark 

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Tuesday, July 01, 2008 8:38 PM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] today's changes
> 
>  	I am not quite sure what you are saying - that we don't 
> need a configuration option?  Is there a way for a plugin to 
> bypass our validation, if we are stripping out all HTML?  It 
> also seems like someone might be using a custom field without 
> a plugin, ie. not a developer, and so wouldn't be able to 
> write their own code?
>  	I don't really know - I have only used custom fields to 
> test reported bugs.  I was just worried about breaking 
> something, and then have people not wanting to upgrade to 
> 1.2.9 since things broke.  I'd expect most people to not care 
> about the custom field validation change, but maybe someone does?
> 
> On Tue, 1 Jul 2008, Mark Wu wrote:
> 
> > Actually, I think only allow no-html text in cutom field 
> should be enough.
> >
> > If a plugin developer really need html in some where, he 
> should create 
> > his own DAO and use correct validator for it.
> >
> > Mark
> >
> >> -----Original Message-----
> >> From: plog-svn-bounces at devel.lifetype.net
> >> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> >> Sent: Tuesday, July 01, 2008 3:06 AM
> >> To: LifeType Developer List
> >> Subject: Re: [pLog-svn] today's changes
> >>
> >>  	I have been thinking about the custom_field and global_settings 
> >> validation - what if we strip out all HTML (except for the one 
> >> setting that needs html
> >> (allowed_html_tags)) but put a hidden configuration option 
> so people 
> >> can disable that if they have been depending on it for 
> their custom 
> >> fields?
> >>
> >>  	And then in 2.0 we would add a validator to the "new 
> custom field"
> >> creator, and the user can pick which validator is 
> necessary - and if 
> >> he requires the ability to allow javascript in his custom fields, 
> >> well - then he is at risk, but there isn't anyway to prevent that 
> >> (outside of the previously talked about XSS/CSRF/etc stuff).
> >>
> >>
> >> On Sat, 21 Jun 2008, Jon Daley wrote:
> >>
> >>> 	I haven't tested the registration process.  Everything
> >> else should be
> >>> good.
> >>>
> >>> 	I am not planning on any more changes, except to check
> >> the TODOs to
> >>> see if we are going to do anything with them for 1.2.9.
> >>>
> >>> 	One important TODO is the globalsettings validation
> >> (and probably
> >>> other places like that).  Maybe we can just do a
> >>> stringvalidator(false) to validate everything, except a
> >> couple settings?
> >>>
> >>> 	I would be alright with leaving the customfield
> >> validation until
> >>> later - they are add-ons, custom done, (so harder to guess to
> >>> exploit). It would be able to announce with the 1.2.9 "we
> >> don't know
> >>> of any security issues/exploits", which would mean fixing
> >> the customfield validation now.
> >>>
> >>>
> >>>
> >>
> >> --
> >> Jon Daley
> >> http://jon.limedaley.com
> >> ~~
> >> I never think of the future.  It comes soon enough.
> >> -- Albert Einstein
> >> _______________________________________________
> >> pLog-svn mailing list
> >> pLog-svn at devel.lifetype.net
> >> http://limedaley.com/mailman/listinfo/plog-svn
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> >
> 
> -- 
> Jon Daley
> http://jon.limedaley.com
> ~~
> A man never stands as tall as when he kneels to help a child.
> -- Knights of Pythagoras
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn

More information about the pLog-svn mailing list