[pLog-svn] today's changes
Jon Daley
plogworld at jon.limedaley.com
Tue Jul 1 09:02:26 EDT 2008
I hadn't checked the plugins yet, but couldn't someone be using
custom fields without a plugin?
On Tue, 1 Jul 2008, Mark Wu wrote:
> As I know, it seems just a few plugins use custom fileds, like karma.
>
> So, it won't break any existing plugins .
>
> Mark
>
>> -----Original Message-----
>> From: plog-svn-bounces at devel.lifetype.net
>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>> Sent: Tuesday, July 01, 2008 8:57 PM
>> To: LifeType Developer List
>> Subject: Re: [pLog-svn] today's changes
>>
>> When you say "we only allowed non-html content", in the
>> past tense
>> - do you mean we haven't allowed html in the past either? If
>> it currently doesn't work, then that is fine, and I can add
>> the validator. I figured that since we weren't currently
>> validating the input, we are allowing HTML, and if I add the
>> html remover code, it could break someone's site.
>> Ah - maybe you are saying we don't need to have a
>> fancier validation system in 2.0, that is fine. I don't care
>> as much about stuff going forward, as breaking existing sites.
>>
>> On Tue, 1 Jul 2008, Mark Wu wrote:
>>> Yes, but I want to keep the custom field simple. We only allowed
>>> non-html content in it.
>>>
>>> If plugin developer like to allow his plugin in custom
>> field, then we
>>> just tell them "it is impossible to allow html in custom field".
>>>
>>> We can ask them create a new table for this purpose.
>>>
>>> That's why I said it is easier for us.
>>>
>>> Mark
>>>
>>>> -----Original Message-----
>>>> From: plog-svn-bounces at devel.lifetype.net
>>>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>>>> Sent: Tuesday, July 01, 2008 8:38 PM
>>>> To: LifeType Developer List
>>>> Subject: Re: [pLog-svn] today's changes
>>>>
>>>> I am not quite sure what you are saying - that we don't need a
>>>> configuration option? Is there a way for a plugin to bypass our
>>>> validation, if we are stripping out all HTML? It also seems like
>>>> someone might be using a custom field without a plugin, ie. not a
>>>> developer, and so wouldn't be able to write their own code?
>>>> I don't really know - I have only used custom fields to test
>>>> reported bugs. I was just worried about breaking
>> something, and then
>>>> have people not wanting to upgrade to
>>>> 1.2.9 since things broke. I'd expect most people to not
>> care about
>>>> the custom field validation change, but maybe someone does?
>>>>
>>>> On Tue, 1 Jul 2008, Mark Wu wrote:
>>>>
>>>>> Actually, I think only allow no-html text in cutom field
>>>> should be enough.
>>>>>
>>>>> If a plugin developer really need html in some where, he
>>>> should create
>>>>> his own DAO and use correct validator for it.
>>>>>
>>>>> Mark
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: plog-svn-bounces at devel.lifetype.net
>>>>>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf
>> Of Jon Daley
>>>>>> Sent: Tuesday, July 01, 2008 3:06 AM
>>>>>> To: LifeType Developer List
>>>>>> Subject: Re: [pLog-svn] today's changes
>>>>>>
>>>>>> I have been thinking about the custom_field and
>> global_settings
>>>>>> validation - what if we strip out all HTML (except for the one
>>>>>> setting that needs html
>>>>>> (allowed_html_tags)) but put a hidden configuration option
>>>> so people
>>>>>> can disable that if they have been depending on it for
>>>> their custom
>>>>>> fields?
>>>>>>
>>>>>> And then in 2.0 we would add a validator to the "new
>>>> custom field"
>>>>>> creator, and the user can pick which validator is
>>>> necessary - and if
>>>>>> he requires the ability to allow javascript in his
>> custom fields,
>>>>>> well - then he is at risk, but there isn't anyway to
>> prevent that
>>>>>> (outside of the previously talked about XSS/CSRF/etc stuff).
>>>>>>
>>>>>>
>>>>>> On Sat, 21 Jun 2008, Jon Daley wrote:
>>>>>>
>>>>>>> I haven't tested the registration process. Everything
>>>>>> else should be
>>>>>>> good.
>>>>>>>
>>>>>>> I am not planning on any more changes, except to check
>>>>>> the TODOs to
>>>>>>> see if we are going to do anything with them for 1.2.9.
>>>>>>>
>>>>>>> One important TODO is the globalsettings validation
>>>>>> (and probably
>>>>>>> other places like that). Maybe we can just do a
>>>>>>> stringvalidator(false) to validate everything, except a
>>>>>> couple settings?
>>>>>>>
>>>>>>> I would be alright with leaving the customfield
>>>>>> validation until
>>>>>>> later - they are add-ons, custom done, (so harder to guess to
>>>>>>> exploit). It would be able to announce with the 1.2.9 "we
>>>>>> don't know
>>>>>>> of any security issues/exploits", which would mean fixing
>>>>>> the customfield validation now.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jon Daley
>>>>>> http://jon.limedaley.com
>>>>>> ~~
>>>>>> I never think of the future. It comes soon enough.
>>>>>> -- Albert Einstein
>>>>>> _______________________________________________
>>>>>> pLog-svn mailing list
>>>>>> pLog-svn at devel.lifetype.net
>>>>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>>>
>>>>> _______________________________________________
>>>>> pLog-svn mailing list
>>>>> pLog-svn at devel.lifetype.net
>>>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>>>
>>>>
>>>> --
>>>> Jon Daley
>>>> http://jon.limedaley.com
>>>> ~~
>>>> A man never stands as tall as when he kneels to help a child.
>>>> -- Knights of Pythagoras
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>
>>
>> --
>> Jon Daley
>> http://jon.limedaley.com
>> ~~
>> 8:30 classes aren't bad, especially in the morning.
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
--
Jon Daley
http://jon.limedaley.com
~~
Sympathy is never wasted except when you give it to yourself.
-- John W. Draper
More information about the pLog-svn
mailing list