[pLog-svn] today's changes

Mark Wu markplace at gmail.com
Tue Jul 1 08:59:58 EDT 2008 

As I know, it seems just a few plugins use custom fileds, like karma.

So, it won't break any existing plugins .

Mark

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Tuesday, July 01, 2008 8:57 PM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] today's changes
> 
>  	When you say "we only allowed non-html content", in the 
> past tense
> - do you mean we haven't allowed html in the past either?  If 
> it currently doesn't work, then that is fine, and I can add 
> the validator.  I figured that since we weren't currently 
> validating the input, we are allowing HTML, and if I add the 
> html remover code, it could break someone's site.
>  	Ah - maybe you are saying we don't need to have a 
> fancier validation system in 2.0, that is fine.  I don't care 
> as much about stuff going forward, as breaking existing sites.
> 
> On Tue, 1 Jul 2008, Mark Wu wrote:
> > Yes, but I want to keep the custom field simple. We only allowed 
> > non-html content in it.
> >
> > If plugin developer like to allow his plugin in custom 
> field, then we 
> > just tell them "it is impossible to allow html in custom field".
> >
> > We can ask them create a new table for this purpose.
> >
> > That's why I said it is easier for us.
> >
> > Mark
> >
> >> -----Original Message-----
> >> From: plog-svn-bounces at devel.lifetype.net
> >> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> >> Sent: Tuesday, July 01, 2008 8:38 PM
> >> To: LifeType Developer List
> >> Subject: Re: [pLog-svn] today's changes
> >>
> >>  	I am not quite sure what you are saying - that we don't need a 
> >> configuration option?  Is there a way for a plugin to bypass our 
> >> validation, if we are stripping out all HTML?  It also seems like 
> >> someone might be using a custom field without a plugin, ie. not a 
> >> developer, and so wouldn't be able to write their own code?
> >>  	I don't really know - I have only used custom fields to test 
> >> reported bugs.  I was just worried about breaking 
> something, and then 
> >> have people not wanting to upgrade to
> >> 1.2.9 since things broke.  I'd expect most people to not 
> care about 
> >> the custom field validation change, but maybe someone does?
> >>
> >> On Tue, 1 Jul 2008, Mark Wu wrote:
> >>
> >>> Actually, I think only allow no-html text in cutom field
> >> should be enough.
> >>>
> >>> If a plugin developer really need html in some where, he
> >> should create
> >>> his own DAO and use correct validator for it.
> >>>
> >>> Mark
> >>>
> >>>> -----Original Message-----
> >>>> From: plog-svn-bounces at devel.lifetype.net
> >>>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf 
> Of Jon Daley
> >>>> Sent: Tuesday, July 01, 2008 3:06 AM
> >>>> To: LifeType Developer List
> >>>> Subject: Re: [pLog-svn] today's changes
> >>>>
> >>>>  	I have been thinking about the custom_field and 
> global_settings 
> >>>> validation - what if we strip out all HTML (except for the one 
> >>>> setting that needs html
> >>>> (allowed_html_tags)) but put a hidden configuration option
> >> so people
> >>>> can disable that if they have been depending on it for
> >> their custom
> >>>> fields?
> >>>>
> >>>>  	And then in 2.0 we would add a validator to the "new
> >> custom field"
> >>>> creator, and the user can pick which validator is
> >> necessary - and if
> >>>> he requires the ability to allow javascript in his 
> custom fields, 
> >>>> well - then he is at risk, but there isn't anyway to 
> prevent that 
> >>>> (outside of the previously talked about XSS/CSRF/etc stuff).
> >>>>
> >>>>
> >>>> On Sat, 21 Jun 2008, Jon Daley wrote:
> >>>>
> >>>>> 	I haven't tested the registration process.  Everything
> >>>> else should be
> >>>>> good.
> >>>>>
> >>>>> 	I am not planning on any more changes, except to check
> >>>> the TODOs to
> >>>>> see if we are going to do anything with them for 1.2.9.
> >>>>>
> >>>>> 	One important TODO is the globalsettings validation
> >>>> (and probably
> >>>>> other places like that).  Maybe we can just do a
> >>>>> stringvalidator(false) to validate everything, except a
> >>>> couple settings?
> >>>>>
> >>>>> 	I would be alright with leaving the customfield
> >>>> validation until
> >>>>> later - they are add-ons, custom done, (so harder to guess to 
> >>>>> exploit). It would be able to announce with the 1.2.9 "we
> >>>> don't know
> >>>>> of any security issues/exploits", which would mean fixing
> >>>> the customfield validation now.
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>> --
> >>>> Jon Daley
> >>>> http://jon.limedaley.com
> >>>> ~~
> >>>> I never think of the future.  It comes soon enough.
> >>>> -- Albert Einstein
> >>>> _______________________________________________
> >>>> pLog-svn mailing list
> >>>> pLog-svn at devel.lifetype.net
> >>>> http://limedaley.com/mailman/listinfo/plog-svn
> >>>
> >>> _______________________________________________
> >>> pLog-svn mailing list
> >>> pLog-svn at devel.lifetype.net
> >>> http://limedaley.com/mailman/listinfo/plog-svn
> >>>
> >>
> >> --
> >> Jon Daley
> >> http://jon.limedaley.com
> >> ~~
> >> A man never stands as tall as when he kneels to help a child.
> >> -- Knights of Pythagoras
> >> _______________________________________________
> >> pLog-svn mailing list
> >> pLog-svn at devel.lifetype.net
> >> http://limedaley.com/mailman/listinfo/plog-svn
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> >
> 
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> 8:30 classes aren't bad, especially in the morning.
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn

More information about the pLog-svn mailing list