[pLog-svn] r6582 - plog/branches/lifetype-1.2/class/action/admin

Jon Daley plogworld at jon.limedaley.com
Sat Jun 21 13:50:03 EDT 2008


 	I think I get it, as long as you agree with my changes to 
adminpostmanagement.  (though I think I didn't do the trackbackurls 
correctly - but I'll get to that in a minute).
 	What I thought you said/meant earlier was that you had checked 
adminpostmanagement and that the comment that says they don't need to be 
validated was correct, and so you left them as just registerField.

On Sun, 22 Jun 2008, Mark Wu wrote:

> Okay, I just confused. I try to do a summary about this discussion here:
>
> In the beginning, You asked me "Why we use registerField() originally?"
>
> I told you "Because these filed don't need validate, and we just want to
> carry the value back to the form, if validation failed"
>
> Then you asked me  "Why doesn't it need to be  validated?"
>
> I  use checkbox (or say boolean) input for example, and told you why these
> fields don't need validate in original code.
>
> Because we use $aaa = ( $this->_request->getValue( "aaa" ) !="" ); to
> convert the checkbox/boolean input field "aaa" to a filtered value $aaa = 0
> or 1  before it  inserted/updated to database.
>
> So, now you ask me  "You still can do xss to those registerField()
> inputs"....
>
> Mmm.....  Of course you still can do xss for those registerField() fields in
> admincommpostmanagementaction, because registerField() only used for carry
> the value back to the form if validation process failed, but it does not
> filtered the value before carry the inputs back to the form.
>
> So according to the suggestion mail that I wrote for prevent xss, use
> registerFiledValidator() to all inputs is the only one way to get "filetered
> value" back to the form in our current validation design.
>
> And, I saw you change the registerField() in admincommpostmanagementaction
> to registerFiledValidator(), it is the right way to prevent xss attack.
>
> I hope this summary can make this issue more clear.
>
>> -----Original Message-----
>> From: plog-svn-bounces at devel.lifetype.net
>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>> Sent: Sunday, June 22, 2008 12:16 AM
>> To: LifeType Developer List
>> Subject: Re: [pLog-svn] r6582 -
>> plog/branches/lifetype-1.2/class/action/admin
>>
>>  	I guess you'll need to explain this again to me.  See
>> the next checkin.  Because these values aren't validated, I
>> can cause XSS problems to occur.
>>
>> On Thu, 19 Jun 2008, Jon Daley wrote:
>>
>>> 	Ah, yes, I hadn't realized they were all checkboxes.  I
>> am thinking
>>> that in 2.0 we should change request->getValue to not be able to
>>> return a value if it isn't validated.  That way it will be
>> impossible
>>> to have any further security issues, (except for errors in the
>>> validators, and developer errors in picking the wrong validator).
>>>
>>> On Thu, 19 Jun 2008, Mark Wu wrote:
>>>> For example, the value from checkbox.
>>>>
>>>> We don't need to validate it, we just use:
>>>>
>>>> $checked = ( $this->_$request->getValue("blahblah")  != "" );
>>>>
>>>> So, we don't care about the value it self, we just care about the
>>>> value assigned or not.
>>>>
>>>> This kind of value, we don't validate it.
>>>>
>>>>> -----Original Message-----
>>>>> From: plog-svn-bounces at devel.lifetype.net
>>>>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of
>> Jon Daley
>>>>> Sent: Thursday, June 19, 2008 11:41 PM
>>>>> To: LifeType Developer List
>>>>> Subject: Re: [pLog-svn] r6582 -
>>>>> plog/branches/lifetype-1.2/class/action/admin
>>>>>
>>>>> On Thu, 19 Jun 2008, Mark Wu wrote:
>>>>>> registerField() only used in addXXXAction, it will bring
>>>>> the value(the
>>>>>> value no need to validate) back to _form.
>>>>>  	Ok, maybe I am starting to understand it.  Why doesn't
>> it need to
>>>>> be validated?
>>>>> _______________________________________________
>>>>> pLog-svn mailing list
>>>>> pLog-svn at devel.lifetype.net
>>>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>>
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>>
>>>
>>>
>>
>> --
>> Jon Daley
>> http://jon.limedaley.com
>> ~~
>> We should be less concerned making churches full of people
>> and more concerned about making people full of God.
>> -- C. Kirk Hadawy and David Roozen
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com
~~
If you're really afraid of some bad outcome, that's what you're going
to get.  If you behave as if you trust somebody, you're more likely to
get trust back.
-- Charles Green, founder of Trusted Advisor Associates


More information about the pLog-svn mailing list