[pLog-svn] today's notes about validation
Jon Daley
plogworld at jon.limedaley.com
Thu Jun 5 08:46:49 EDT 2008
Public-facing actions are completely validated. It would be good
for people to test this stuff, as our code might have been depending on
stuff *not* being validated properly.
On Mon, 26 May 2008, Jon Daley wrote:
> On Sat, 24 May 2008, Jon Daley wrote:
>> templateaction: passes whole request to view
> This action is used when displaying all static template pages. I am
> trying to think of how this could be exploited, but it seems like it would
> depend on a badly written template. No current templates currently use this
> feature.
>
>> searchengine searches drafts too when not using fulltext
> Added a bug report, so someone can take a look at it at some point,
> not a big deal.
>
>> blogaction needs to validate the
>> blogId,blogname,userid,username,blogdomain fields
> Coming soon.
>
>> addcommentaction uses HttpVars::getRequest() need to look into that
>> more. allows html, need to verify the filters are getting rid
>> of javascript, etc. I believe they are.
> nope. I'll look into more restrictive filtering. Is there any
> reason why we would want to allow javascript to be posted in a comment? I
> think we currently strip out 'normal' javascript, but with 10 or 20 seconds
> of thinking about it, got some javascript to post successfully. Posts
> probably allow javascript too. We'll probably need a preference for that,
> since probably some people want javascript allowed, but blog hosters probably
> don't.
>
>> adminaddresourcealbumaction: Why was _form->registerField used?
> Maybe the action->registerField didn't used to exist. Doesn't
> matter.
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
--
Jon Daley
http://jon.limedaley.com
~~
Procrastination is the thief of time.
-- Edward Young
More information about the pLog-svn
mailing list