[pLog-svn] today's notes about validation

[Jon Daley]

On Sat, 24 May 2008, Jon Daley wrote:
>  templateaction: passes whole request to view
 	This action is used when displaying all static template pages.  I 
am trying to think of how this could be exploited, but it seems like it 
would depend on a badly written template.  No current templates currently 
use this feature.

>  searchengine searches drafts too when not using fulltext
 	Added a bug report, so someone can take a look at it at some 
point, not a big deal.

>  blogaction needs to validate the blogId,blogname,userid,username,blogdomain 
> fields
 	Coming soon.

>  addcommentaction uses HttpVars::getRequest() need to look into that
>          more.  allows html, need to verify the filters are getting rid
>          of javascript, etc.  I believe they are.
 	nope.  I'll look into more restrictive filtering.  Is there any 
reason why we would want to allow javascript to be posted in a comment?  I 
think we currently strip out 'normal' javascript, but with 10 or 20 
seconds of thinking about it, got some javascript to post successfully. 
Posts probably allow javascript too.  We'll probably need a preference for 
that, since probably some people want javascript allowed, but blog hosters 
probably don't.

>  adminaddresourcealbumaction: Why was _form->registerField used?
 	Maybe the action->registerField didn't used to exist.  Doesn't 
matter.