[pLog-svn] Request, Validators and Filters

Mark Wu mark.wu at markplace.net
Mon May 5 22:02:15 EDT 2008 

Before more further discussion, I think we should make these terms very
clear ...
 
1. In lifetype the http request include POST, GET and COOKIE, we always get
it from Httpvars::getRequest(), it is raw data, we don't do anything with
it, just merge them.
 
2. In lifetype actions and views, we have an private attribute $_request,
the $_request is the instance of Request, it is a wrapper of
Httpvars::getRequest() with consideration of magic quote. That's means we
only remove the slahes in raw requests.
 
3. FieldValidators: Only available in actions. In lifetype we don't have
model validator, only have action validator. We just check the the value is
valid or not. If not, it will carry the all the form values to error view or
next view. (Without filter or anything).
 
4. Filters:  Can used in actions & views, because we always can get the
filtered value from $_request->getFilteredValue( 'name', new HtmlFilter ).
The filtered value does not save back to $_request .
 
I think the most XSS problem occurs in those fields with:
 
1. registerFiledValidator( 'name', new StringValidator() )
 
2. registerFiled without validator
 
3. the error value we return without escape or filter
 
How to prevent XSS, I think there should be some easier way and does not
refactor a lot.
 
1. Replace all Httpvars::getRequest in actions and views with $_request
 
2. extend the StringValidator to StringValidator ( $allowHtml == false) and
allow it to check the string is plain text only or html.  for example, we
can use
 
registerFiledValidator( 'postText', new StringValidator( true ) ) in
postText and  registerFiledValidator( 'name', new StringValidator() ) in
blogName. I think it can solve 90% problems without any bug refactor
 
3. extend the registerFiledValidator, allow it to escape/filter/blahblah the
request value and save to $request if the value is invalid. Therefore, the
value we get in smarty template is escaped/filterd/blahblah ...
 
4. Replace registerFiled to registerFiledValidator as possible as we can ...
 
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20080506/c7fe0efd/attachment.htm>

More information about the pLog-svn mailing list