[pLog-svn] Request, Validators and Filters
Reto Hugi
plog at hugi.to
Tue May 6 03:28:41 EDT 2008
Jon Daley wrote:
>> I think the most XSS problem occurs in those fields with:
>> 1. registerFiledValidator( 'name', new StringValidator() )
>> 2. registerFiled without validator
>> 3. the error value we return without escape or filter
> I agree.
agree, too.
>> 1. Replace all Httpvars::getRequest in actions and views with $_request
>>
>> 2. extend the StringValidator to StringValidator ( $allowHtml ==
>> false) and
>> allow it to check the string is plain text only or html. for example, we
>> can use
>>
>> registerFiledValidator( 'postText', new StringValidator( true ) ) in
>> postText and registerFiledValidator( 'name', new StringValidator() ) in
>> blogName. I think it can solve 90% problems without any bug refactor
that's ok. Though I'm not sure we should do this on the 1.2.x branche
because it's likely to introduce issues. We switch kind of from a
blacklist to a whitelist... (by default test for string vs. by default
test for non-html string)
>> 3. extend the registerFiledValidator, allow it to
>> escape/filter/blahblah the
>> request value and save to $request if the value is invalid. Therefore,
>> the
>> value we get in smarty template is escaped/filterd/blahblah ...
>>
>> 4. Replace registerFiled to registerFiledValidator as possible as we
>> can ...
I like that :)
More information about the pLog-svn
mailing list