[pLog-svn] today's changes

Jon Daley plogworld at jon.limedaley.com
Tue Jul 1 08:56:55 EDT 2008


 	When you say "we only allowed non-html content", in the past tense 
- do you mean we haven't allowed html in the past either?  If it currently 
doesn't work, then that is fine, and I can add the validator.  I figured 
that since we weren't currently validating the input, we are allowing 
HTML, and if I add the html remover code, it could break someone's site.
 	Ah - maybe you are saying we don't need to have a fancier 
validation system in 2.0, that is fine.  I don't care as much about stuff 
going forward, as breaking existing sites.

On Tue, 1 Jul 2008, Mark Wu wrote:
> Yes, but I want to keep the custom field simple. We only allowed non-html
> content in it.
>
> If plugin developer like to allow his plugin in custom field, then we just
> tell them "it is impossible to allow html in custom field".
>
> We can ask them create a new table for this purpose.
>
> That's why I said it is easier for us.
>
> Mark
>
>> -----Original Message-----
>> From: plog-svn-bounces at devel.lifetype.net
>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>> Sent: Tuesday, July 01, 2008 8:38 PM
>> To: LifeType Developer List
>> Subject: Re: [pLog-svn] today's changes
>>
>>  	I am not quite sure what you are saying - that we don't
>> need a configuration option?  Is there a way for a plugin to
>> bypass our validation, if we are stripping out all HTML?  It
>> also seems like someone might be using a custom field without
>> a plugin, ie. not a developer, and so wouldn't be able to
>> write their own code?
>>  	I don't really know - I have only used custom fields to
>> test reported bugs.  I was just worried about breaking
>> something, and then have people not wanting to upgrade to
>> 1.2.9 since things broke.  I'd expect most people to not care
>> about the custom field validation change, but maybe someone does?
>>
>> On Tue, 1 Jul 2008, Mark Wu wrote:
>>
>>> Actually, I think only allow no-html text in cutom field
>> should be enough.
>>>
>>> If a plugin developer really need html in some where, he
>> should create
>>> his own DAO and use correct validator for it.
>>>
>>> Mark
>>>
>>>> -----Original Message-----
>>>> From: plog-svn-bounces at devel.lifetype.net
>>>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>>>> Sent: Tuesday, July 01, 2008 3:06 AM
>>>> To: LifeType Developer List
>>>> Subject: Re: [pLog-svn] today's changes
>>>>
>>>>  	I have been thinking about the custom_field and global_settings
>>>> validation - what if we strip out all HTML (except for the one
>>>> setting that needs html
>>>> (allowed_html_tags)) but put a hidden configuration option
>> so people
>>>> can disable that if they have been depending on it for
>> their custom
>>>> fields?
>>>>
>>>>  	And then in 2.0 we would add a validator to the "new
>> custom field"
>>>> creator, and the user can pick which validator is
>> necessary - and if
>>>> he requires the ability to allow javascript in his custom fields,
>>>> well - then he is at risk, but there isn't anyway to prevent that
>>>> (outside of the previously talked about XSS/CSRF/etc stuff).
>>>>
>>>>
>>>> On Sat, 21 Jun 2008, Jon Daley wrote:
>>>>
>>>>> 	I haven't tested the registration process.  Everything
>>>> else should be
>>>>> good.
>>>>>
>>>>> 	I am not planning on any more changes, except to check
>>>> the TODOs to
>>>>> see if we are going to do anything with them for 1.2.9.
>>>>>
>>>>> 	One important TODO is the globalsettings validation
>>>> (and probably
>>>>> other places like that).  Maybe we can just do a
>>>>> stringvalidator(false) to validate everything, except a
>>>> couple settings?
>>>>>
>>>>> 	I would be alright with leaving the customfield
>>>> validation until
>>>>> later - they are add-ons, custom done, (so harder to guess to
>>>>> exploit). It would be able to announce with the 1.2.9 "we
>>>> don't know
>>>>> of any security issues/exploits", which would mean fixing
>>>> the customfield validation now.
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Jon Daley
>>>> http://jon.limedaley.com
>>>> ~~
>>>> I never think of the future.  It comes soon enough.
>>>> -- Albert Einstein
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>
>>
>> --
>> Jon Daley
>> http://jon.limedaley.com
>> ~~
>> A man never stands as tall as when he kneels to help a child.
>> -- Knights of Pythagoras
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com
~~
8:30 classes aren't bad, especially in the morning.


More information about the pLog-svn mailing list