[pLog-svn] today's changes

Jon Daley plogworld at jon.limedaley.com
Tue Jul 1 09:18:32 EDT 2008 

 	Yes, I agree about it being a bad idea to set the configuration 
option, and I wouldn't argue for ever making it public on the admin 
interface, and for the plugin case, yes.
 	My point is that maybe someone is using custom fields for ads or 
something else where html (and even worse, javascript) is allowed in the 
custom field.
 	Going forward, someone trying it will see that it doesn't work, 
and so will probably find some other solution for it, and maybe if no one 
complains in 1.2.9, we could even remove the configuration option in 2.0, 
though I guess I wouldn't care too much either way.

On Tue, 1 Jul 2008, Mark Wu wrote:

> BTW, add a configuration option for this is a good idea.
>
> But, I personally just don't want user has this kind of flexibility. :)
>
> So, I said, it  better ask plugin developer create a new table for this
> purpose.
>
> Mark
>
>> -----Original Message-----
>> From: plog-svn-bounces at devel.lifetype.net
>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>> Sent: Tuesday, July 01, 2008 8:57 PM
>> To: LifeType Developer List
>> Subject: Re: [pLog-svn] today's changes
>>
>>  	When you say "we only allowed non-html content", in the
>> past tense
>> - do you mean we haven't allowed html in the past either?  If
>> it currently doesn't work, then that is fine, and I can add
>> the validator.  I figured that since we weren't currently
>> validating the input, we are allowing HTML, and if I add the
>> html remover code, it could break someone's site.
>>  	Ah - maybe you are saying we don't need to have a
>> fancier validation system in 2.0, that is fine.  I don't care
>> as much about stuff going forward, as breaking existing sites.
>>
>> On Tue, 1 Jul 2008, Mark Wu wrote:
>>> Yes, but I want to keep the custom field simple. We only allowed
>>> non-html content in it.
>>>
>>> If plugin developer like to allow his plugin in custom
>> field, then we
>>> just tell them "it is impossible to allow html in custom field".
>>>
>>> We can ask them create a new table for this purpose.
>>>
>>> That's why I said it is easier for us.
>>>
>>> Mark
>>>
>>>> -----Original Message-----
>>>> From: plog-svn-bounces at devel.lifetype.net
>>>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>>>> Sent: Tuesday, July 01, 2008 8:38 PM
>>>> To: LifeType Developer List
>>>> Subject: Re: [pLog-svn] today's changes
>>>>
>>>>  	I am not quite sure what you are saying - that we don't need a
>>>> configuration option?  Is there a way for a plugin to bypass our
>>>> validation, if we are stripping out all HTML?  It also seems like
>>>> someone might be using a custom field without a plugin, ie. not a
>>>> developer, and so wouldn't be able to write their own code?
>>>>  	I don't really know - I have only used custom fields to test
>>>> reported bugs.  I was just worried about breaking
>> something, and then
>>>> have people not wanting to upgrade to
>>>> 1.2.9 since things broke.  I'd expect most people to not
>> care about
>>>> the custom field validation change, but maybe someone does?
>>>>
>>>> On Tue, 1 Jul 2008, Mark Wu wrote:
>>>>
>>>>> Actually, I think only allow no-html text in cutom field
>>>> should be enough.
>>>>>
>>>>> If a plugin developer really need html in some where, he
>>>> should create
>>>>> his own DAO and use correct validator for it.
>>>>>
>>>>> Mark
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: plog-svn-bounces at devel.lifetype.net
>>>>>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf
>> Of Jon Daley
>>>>>> Sent: Tuesday, July 01, 2008 3:06 AM
>>>>>> To: LifeType Developer List
>>>>>> Subject: Re: [pLog-svn] today's changes
>>>>>>
>>>>>>  	I have been thinking about the custom_field and
>> global_settings
>>>>>> validation - what if we strip out all HTML (except for the one
>>>>>> setting that needs html
>>>>>> (allowed_html_tags)) but put a hidden configuration option
>>>> so people
>>>>>> can disable that if they have been depending on it for
>>>> their custom
>>>>>> fields?
>>>>>>
>>>>>>  	And then in 2.0 we would add a validator to the "new
>>>> custom field"
>>>>>> creator, and the user can pick which validator is
>>>> necessary - and if
>>>>>> he requires the ability to allow javascript in his
>> custom fields,
>>>>>> well - then he is at risk, but there isn't anyway to
>> prevent that
>>>>>> (outside of the previously talked about XSS/CSRF/etc stuff).
>>>>>>
>>>>>>
>>>>>> On Sat, 21 Jun 2008, Jon Daley wrote:
>>>>>>
>>>>>>> 	I haven't tested the registration process.  Everything
>>>>>> else should be
>>>>>>> good.
>>>>>>>
>>>>>>> 	I am not planning on any more changes, except to check
>>>>>> the TODOs to
>>>>>>> see if we are going to do anything with them for 1.2.9.
>>>>>>>
>>>>>>> 	One important TODO is the globalsettings validation
>>>>>> (and probably
>>>>>>> other places like that).  Maybe we can just do a
>>>>>>> stringvalidator(false) to validate everything, except a
>>>>>> couple settings?
>>>>>>>
>>>>>>> 	I would be alright with leaving the customfield
>>>>>> validation until
>>>>>>> later - they are add-ons, custom done, (so harder to guess to
>>>>>>> exploit). It would be able to announce with the 1.2.9 "we
>>>>>> don't know
>>>>>>> of any security issues/exploits", which would mean fixing
>>>>>> the customfield validation now.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jon Daley
>>>>>> http://jon.limedaley.com
>>>>>> ~~
>>>>>> I never think of the future.  It comes soon enough.
>>>>>> -- Albert Einstein
>>>>>> _______________________________________________
>>>>>> pLog-svn mailing list
>>>>>> pLog-svn at devel.lifetype.net
>>>>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>>>
>>>>> _______________________________________________
>>>>> pLog-svn mailing list
>>>>> pLog-svn at devel.lifetype.net
>>>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>>>
>>>>
>>>> --
>>>> Jon Daley
>>>> http://jon.limedaley.com
>>>> ~~
>>>> A man never stands as tall as when he kneels to help a child.
>>>> -- Knights of Pythagoras
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>
>>
>> --
>> Jon Daley
>> http://jon.limedaley.com
>> ~~
>> 8:30 classes aren't bad, especially in the morning.
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com
~~
Music has the uncanny ability to burrow
its way into our spiritual bones.
-- John Witvliet

More information about the pLog-svn mailing list