[pLog-svn] Request, Validators and Filters
Jon Daley
plogworld at jon.limedaley.com
Mon May 5 23:57:33 EDT 2008
On Tue, 6 May 2008, Mark Wu wrote:
> Before more further discussion, I think we should make these terms very
> clear ...
Thanks.
> I think the most XSS problem occurs in those fields with:
> 1. registerFiledValidator( 'name', new StringValidator() )
> 2. registerFiled without validator
> 3. the error value we return without escape or filter
I agree.
> 1. Replace all Httpvars::getRequest in actions and views with $_request
>
> 2. extend the StringValidator to StringValidator ( $allowHtml == false) and
> allow it to check the string is plain text only or html. for example, we
> can use
>
> registerFiledValidator( 'postText', new StringValidator( true ) ) in
> postText and registerFiledValidator( 'name', new StringValidator() ) in
> blogName. I think it can solve 90% problems without any bug refactor
>
> 3. extend the registerFiledValidator, allow it to escape/filter/blahblah the
> request value and save to $request if the value is invalid. Therefore, the
> value we get in smarty template is escaped/filterd/blahblah ...
>
> 4. Replace registerFiled to registerFiledValidator as possible as we can ...
Sounds good to me. I'd like to add that if the StringValidator
isn't really a validator, ie. just checks for non-empty like it does now,
we should get rid of it, so it doesn't give a false sense of security.
More information about the pLog-svn
mailing list