[pLog-svn] r6688 - plog/branches/lifetype-1.2/class/action
Mark Wu
markplace at gmail.com
Tue Jul 1 09:06:58 EDT 2008
If you show error message to user, then he will know "Ah, this system will
filtering html, so it is useless if I try again"
If you just let user do the search, the he will try another combination to
see if our system will filter this.
But, as I said. It is okay for me, if you want to change it back. Because we
already filter it before use it.
Mark
> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Tuesday, July 01, 2008 9:02 PM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] r6688 -
> plog/branches/lifetype-1.2/class/action
>
> I am not sure what you mean about preventing the hacker
> from trying again and again. Since the input was correctly
> filtered previously, either way, the hacker is stopped. And
> so, revision 6688 only changes the behavior for people who
> are typing in HTML by accident - maybe pasting in code from
> somewhere else? I don't know exactly how a person would run
> into this, but I had left the code the way it was, since I
> thought it might be better to not change that behavior (I
> guess really the same argument I am trying to make in the
> custom field thread - I don't want to break something that
> currently works for someone, provided I can still make LT secure).
>
> On Tue, 1 Jul 2008, Mark Wu wrote:
>
> > I have the same thought before.
> >
> > And after review the code, I think it is better if lifetype just
> > reject it and ask user try again.
> >
> > Because it will show the warning message to users, and it
> can prevent
> > hacker try again and again.
> >
> > And it is okay for me, if you want to allow html here, because we
> > already filter it before use it .
> >
> > Mark
> >
> >> -----Original Message-----
> >> From: plog-svn-bounces at devel.lifetype.net
> >> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> >> Sent: Tuesday, July 01, 2008 8:34 PM
> >> To: LifeType Developer List
> >> Subject: Re: [pLog-svn] r6688 -
> >> plog/branches/lifetype-1.2/class/action
> >>
> >> Yeah, I wondered about this - I think there is a filter
> later, and
> >> so that's why I left it. We should probably remove the
> filter if we
> >> aren't going to allow it at all.
> >> Though when I thought about it, I thought the filter
> solution was a
> >> better one - so then the user doesn't get an error, but it
> just does
> >> the search.
> >>
> >> On Tue, 1 Jul 2008, mark at devel.lifetype.net wrote:
> >>
> >>> Author: mark
> >>> Date: 2008-07-01 01:41:15 -0400 (Tue, 01 Jul 2008) New
> >> Revision: 6688
> >>>
> >>> Modified:
> >>> plog/branches/lifetype-1.2/class/action/defaultaction.class.php
> >>> plog/branches/lifetype-1.2/class/action/searchaction.class.php
> >>> Log:
> >>> We should not allow the html in searchTerms.
> >>>
> >>> Modified:
> >>> plog/branches/lifetype-1.2/class/action/defaultaction.class.php
> >>>
> ===================================================================
> >>> ---
> >> plog/branches/lifetype-1.2/class/action/defaultaction.cl
> >> ass.php 2008-07-01 05:37:16 UTC (rev 6687)
> >>> +++
> >> plog/branches/lifetype-1.2/class/action/defaultaction.cl
> >> ass.php 2008-07-01 05:41:15 UTC (rev 6688)
> >>> @@ -30,7 +30,7 @@
> >>> {
> >>> $this->BlogAction( $actionInfo, $request );
> >>>
> >>> - $this->registerFieldValidator(
> >> "searchTerms", new StringValidator( true ), true );
> >>> + $this->registerFieldValidator(
> >> "searchTerms", new
> >>> +StringValidator(), true );
> >>> $this->registerFieldValidator(
> >> "postCategoryId", new IntegerValidator(), true );
> >>> $this->registerFieldValidator(
> >> "postCategoryName", new StringValidator( ), true );
> >>> $this->registerFieldValidator(
> >> "userId", new IntegerValidator(),
> >>> true );
> >>>
> >>> Modified:
> >>> plog/branches/lifetype-1.2/class/action/searchaction.class.php
> >>>
> ===================================================================
> >>> ---
> >> plog/branches/lifetype-1.2/class/action/searchaction.cl
> >> ass.php 2008-07-01 05:37:16 UTC (rev 6687)
> >>> +++
> >> plog/branches/lifetype-1.2/class/action/searchaction.cl
> >> ass.php 2008-07-01 05:41:15 UTC (rev 6688)
> >>> @@ -23,7 +23,7 @@
> >>> $this->BlogAction( $actionInfo, $request );
> >>>
> >>> // data validation
> >>> - $this->registerFieldValidator(
> >> "searchTerms", new StringValidator( true ));
> >>> + $this->registerFieldValidator(
> >> "searchTerms", new
> >>> +StringValidator());
> >>> $this->setValidationErrorView( new
> >> ErrorView( $this->_blogInfo, "error_incorrect_search_terms" ));
> >>> }
> >>>
> >>>
> >>> _______________________________________________
> >>> pLog-svn mailing list
> >>> pLog-svn at devel.lifetype.net
> >>> http://limedaley.com/mailman/listinfo/plog-svn
> >>>
> >>
> >> --
> >> Jon Daley
> >> http://jon.limedaley.com
> >> ~~
> >> There isn't any problem in child-rearing that cannot be
> solved with
> >> duct tape.
> >> -- Alan Wagstaff
> >> _______________________________________________
> >> pLog-svn mailing list
> >> pLog-svn at devel.lifetype.net
> >> http://limedaley.com/mailman/listinfo/plog-svn
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> >
>
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> The real world is
> a special case.
> -- Horngren's Observation
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list