[pLog-svn] today's changes

[Jon Daley]

 	I have been thinking about the custom_field and global_settings 
validation - what if we strip out all HTML (except for 
the one setting that needs html (allowed_html_tags)) but put a hidden 
configuration option so people can disable that if they have been 
depending on it for their custom fields?

 	And then in 2.0 we would add a validator to the "new custom field" 
creator, and the user can pick which validator is necessary - and if he 
requires the ability to allow javascript in his custom fields, well - then 
he is at risk, but there isn't anyway to prevent that (outside of the 
previously talked about XSS/CSRF/etc stuff).


On Sat, 21 Jun 2008, Jon Daley wrote:

> 	I haven't tested the registration process.  Everything else should be 
> good.
>
> 	I am not planning on any more changes, except to check the TODOs to 
> see if we are going to do anything with them for 1.2.9.
>
> 	One important TODO is the globalsettings validation (and probably 
> other places like that).  Maybe we can just do a stringvalidator(false) to 
> validate everything, except a couple settings?
>
> 	I would be alright with leaving the customfield validation until 
> later - they are add-ons, custom done, (so harder to guess to exploit). It 
> would be able to announce with the 1.2.9 "we don't know of any security 
> issues/exploits", which would mean fixing the customfield validation now.
>
>
>

-- 
Jon Daley
http://jon.limedaley.com
~~
I never think of the future.  It comes soon enough.
-- Albert Einstein