[pLog-svn] r6582 - plog/branches/lifetype-1.2/class/action/admin

Sat Jun 21 13:13:03 EDT 2008

Okay, I just confused. I try to do a summary about this discussion here:

In the beginning, You asked me "Why we use registerField() originally?"

I told you "Because these filed don't need validate, and we just want to
carry the value back to the form, if validation failed"

Then you asked me  "Why doesn't it need to be  validated?"

I  use checkbox (or say boolean) input for example, and told you why these
fields don't need validate in original code.

Because we use $aaa = ( $this->_request->getValue( "aaa" ) !="" ); to
convert the checkbox/boolean input field "aaa" to a filtered value $aaa = 0
or 1  before it  inserted/updated to database.

So, now you ask me  "You still can do xss to those registerField()
inputs".... 

Mmm.....  Of course you still can do xss for those registerField() fields in
admincommpostmanagementaction, because registerField() only used for carry
the value back to the form if validation process failed, but it does not
filtered the value before carry the inputs back to the form.

So according to the suggestion mail that I wrote for prevent xss, use
registerFiledValidator() to all inputs is the only one way to get "filetered
value" back to the form in our current validation design.

And, I saw you change the registerField() in admincommpostmanagementaction
to registerFiledValidator(), it is the right way to prevent xss attack.

I hope this summary can make this issue more clear.

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Sunday, June 22, 2008 12:16 AM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] r6582 - 
> plog/branches/lifetype-1.2/class/action/admin
> 
>  	I guess you'll need to explain this again to me.  See 
> the next checkin.  Because these values aren't validated, I 
> can cause XSS problems to occur.
> 
> On Thu, 19 Jun 2008, Jon Daley wrote:
> 
> > 	Ah, yes, I hadn't realized they were all checkboxes.  I 
> am thinking 
> > that in 2.0 we should change request->getValue to not be able to 
> > return a value if it isn't validated.  That way it will be 
> impossible 
> > to have any further security issues, (except for errors in the 
> > validators, and developer errors in picking the wrong validator).
> >
> > On Thu, 19 Jun 2008, Mark Wu wrote:
> >> For example, the value from checkbox.
> >> 
> >> We don't need to validate it, we just use:
> >> 
> >> $checked = ( $this->_$request->getValue("blahblah")  != "" );
> >> 
> >> So, we don't care about the value it self, we just care about the 
> >> value assigned or not.
> >> 
> >> This kind of value, we don't validate it.
> >> 
> >>> -----Original Message-----
> >>> From: plog-svn-bounces at devel.lifetype.net
> >>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of 
> Jon Daley
> >>> Sent: Thursday, June 19, 2008 11:41 PM
> >>> To: LifeType Developer List
> >>> Subject: Re: [pLog-svn] r6582 -
> >>> plog/branches/lifetype-1.2/class/action/admin
> >>> 
> >>> On Thu, 19 Jun 2008, Mark Wu wrote:
> >>>> registerField() only used in addXXXAction, it will bring
> >>> the value(the
> >>>> value no need to validate) back to _form.
> >>>  	Ok, maybe I am starting to understand it.  Why doesn't 
> it need to 
> >>> be validated?
> >>> _______________________________________________
> >>> pLog-svn mailing list
> >>> pLog-svn at devel.lifetype.net
> >>> http://limedaley.com/mailman/listinfo/plog-svn
> >> 
> >> _______________________________________________
> >> pLog-svn mailing list
> >> pLog-svn at devel.lifetype.net
> >> http://limedaley.com/mailman/listinfo/plog-svn
> >> 
> >
> >
> 
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> We should be less concerned making churches full of people 
> and more concerned about making people full of God.
> -- C. Kirk Hadawy and David Roozen
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn