[pLog-svn] today's changes
Mark Wu
markplace at gmail.com
Tue Jul 1 09:24:39 EDT 2008
Yep, it might be a good idea.
I just search customfiled in all plugins. Most plugins use custom fields as
tags, karmas, passwords, user names, emails ..
So, I think it won't impact too much.
Mark
> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Tuesday, July 01, 2008 9:19 PM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] today's changes
>
> Yes, I agree about it being a bad idea to set the
> configuration option, and I wouldn't argue for ever making it
> public on the admin interface, and for the plugin case, yes.
> My point is that maybe someone is using custom fields
> for ads or something else where html (and even worse,
> javascript) is allowed in the custom field.
> Going forward, someone trying it will see that it
> doesn't work, and so will probably find some other solution
> for it, and maybe if no one complains in 1.2.9, we could even
> remove the configuration option in 2.0, though I guess I
> wouldn't care too much either way.
>
> On Tue, 1 Jul 2008, Mark Wu wrote:
>
> > BTW, add a configuration option for this is a good idea.
> >
> > But, I personally just don't want user has this kind of
> flexibility.
> > :)
> >
> > So, I said, it better ask plugin developer create a new table for
> > this purpose.
> >
> > Mark
> >
> >> -----Original Message-----
> >> From: plog-svn-bounces at devel.lifetype.net
> >> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> >> Sent: Tuesday, July 01, 2008 8:57 PM
> >> To: LifeType Developer List
> >> Subject: Re: [pLog-svn] today's changes
> >>
> >> When you say "we only allowed non-html content", in the
> past tense
> >> - do you mean we haven't allowed html in the past either? If it
> >> currently doesn't work, then that is fine, and I can add the
> >> validator. I figured that since we weren't currently
> validating the
> >> input, we are allowing HTML, and if I add the html remover
> code, it
> >> could break someone's site.
> >> Ah - maybe you are saying we don't need to have a fancier
> >> validation system in 2.0, that is fine. I don't care as
> much about
> >> stuff going forward, as breaking existing sites.
> >>
> >> On Tue, 1 Jul 2008, Mark Wu wrote:
> >>> Yes, but I want to keep the custom field simple. We only allowed
> >>> non-html content in it.
> >>>
> >>> If plugin developer like to allow his plugin in custom
> >> field, then we
> >>> just tell them "it is impossible to allow html in custom field".
> >>>
> >>> We can ask them create a new table for this purpose.
> >>>
> >>> That's why I said it is easier for us.
> >>>
> >>> Mark
> >>>
> >>>> -----Original Message-----
> >>>> From: plog-svn-bounces at devel.lifetype.net
> >>>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf
> Of Jon Daley
> >>>> Sent: Tuesday, July 01, 2008 8:38 PM
> >>>> To: LifeType Developer List
> >>>> Subject: Re: [pLog-svn] today's changes
> >>>>
> >>>> I am not quite sure what you are saying - that
> we don't need a
> >>>> configuration option? Is there a way for a plugin to bypass our
> >>>> validation, if we are stripping out all HTML? It also
> seems like
> >>>> someone might be using a custom field without a plugin,
> ie. not a
> >>>> developer, and so wouldn't be able to write their own code?
> >>>> I don't really know - I have only used custom
> fields to test
> >>>> reported bugs. I was just worried about breaking
> >> something, and then
> >>>> have people not wanting to upgrade to
> >>>> 1.2.9 since things broke. I'd expect most people to not
> >> care about
> >>>> the custom field validation change, but maybe someone does?
> >>>>
> >>>> On Tue, 1 Jul 2008, Mark Wu wrote:
> >>>>
> >>>>> Actually, I think only allow no-html text in cutom field
> >>>> should be enough.
> >>>>>
> >>>>> If a plugin developer really need html in some where, he
> >>>> should create
> >>>>> his own DAO and use correct validator for it.
> >>>>>
> >>>>> Mark
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: plog-svn-bounces at devel.lifetype.net
> >>>>>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf
> >> Of Jon Daley
> >>>>>> Sent: Tuesday, July 01, 2008 3:06 AM
> >>>>>> To: LifeType Developer List
> >>>>>> Subject: Re: [pLog-svn] today's changes
> >>>>>>
> >>>>>> I have been thinking about the custom_field and
> >> global_settings
> >>>>>> validation - what if we strip out all HTML (except for the one
> >>>>>> setting that needs html
> >>>>>> (allowed_html_tags)) but put a hidden configuration option
> >>>> so people
> >>>>>> can disable that if they have been depending on it for
> >>>> their custom
> >>>>>> fields?
> >>>>>>
> >>>>>> And then in 2.0 we would add a validator to the "new
> >>>> custom field"
> >>>>>> creator, and the user can pick which validator is
> >>>> necessary - and if
> >>>>>> he requires the ability to allow javascript in his
> >> custom fields,
> >>>>>> well - then he is at risk, but there isn't anyway to
> >> prevent that
> >>>>>> (outside of the previously talked about XSS/CSRF/etc stuff).
> >>>>>>
> >>>>>>
> >>>>>> On Sat, 21 Jun 2008, Jon Daley wrote:
> >>>>>>
> >>>>>>> I haven't tested the registration process. Everything
> >>>>>> else should be
> >>>>>>> good.
> >>>>>>>
> >>>>>>> I am not planning on any more changes, except to check
> >>>>>> the TODOs to
> >>>>>>> see if we are going to do anything with them for 1.2.9.
> >>>>>>>
> >>>>>>> One important TODO is the globalsettings validation
> >>>>>> (and probably
> >>>>>>> other places like that). Maybe we can just do a
> >>>>>>> stringvalidator(false) to validate everything, except a
> >>>>>> couple settings?
> >>>>>>>
> >>>>>>> I would be alright with leaving the customfield
> >>>>>> validation until
> >>>>>>> later - they are add-ons, custom done, (so harder to guess to
> >>>>>>> exploit). It would be able to announce with the 1.2.9 "we
> >>>>>> don't know
> >>>>>>> of any security issues/exploits", which would mean fixing
> >>>>>> the customfield validation now.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Jon Daley
> >>>>>> http://jon.limedaley.com
> >>>>>> ~~
> >>>>>> I never think of the future. It comes soon enough.
> >>>>>> -- Albert Einstein
> >>>>>> _______________________________________________
> >>>>>> pLog-svn mailing list
> >>>>>> pLog-svn at devel.lifetype.net
> >>>>>> http://limedaley.com/mailman/listinfo/plog-svn
> >>>>>
> >>>>> _______________________________________________
> >>>>> pLog-svn mailing list
> >>>>> pLog-svn at devel.lifetype.net
> >>>>> http://limedaley.com/mailman/listinfo/plog-svn
> >>>>>
> >>>>
> >>>> --
> >>>> Jon Daley
> >>>> http://jon.limedaley.com
> >>>> ~~
> >>>> A man never stands as tall as when he kneels to help a child.
> >>>> -- Knights of Pythagoras
> >>>> _______________________________________________
> >>>> pLog-svn mailing list
> >>>> pLog-svn at devel.lifetype.net
> >>>> http://limedaley.com/mailman/listinfo/plog-svn
> >>>
> >>> _______________________________________________
> >>> pLog-svn mailing list
> >>> pLog-svn at devel.lifetype.net
> >>> http://limedaley.com/mailman/listinfo/plog-svn
> >>>
> >>
> >> --
> >> Jon Daley
> >> http://jon.limedaley.com
> >> ~~
> >> 8:30 classes aren't bad, especially in the morning.
> >> _______________________________________________
> >> pLog-svn mailing list
> >> pLog-svn at devel.lifetype.net
> >> http://limedaley.com/mailman/listinfo/plog-svn
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> >
>
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> Music has the uncanny ability to burrow
> its way into our spiritual bones.
> -- John Witvliet
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list