[pLog-svn] today's notes about validation
Jon Daley
plogworld at jon.limedaley.com
Mon May 26 16:16:52 EDT 2008
On Sat, 24 May 2008, Jon Daley wrote:
> templateaction: passes whole request to view
This action is used when displaying all static template pages. I
am trying to think of how this could be exploited, but it seems like it
would depend on a badly written template. No current templates currently
use this feature.
> searchengine searches drafts too when not using fulltext
Added a bug report, so someone can take a look at it at some
point, not a big deal.
> blogaction needs to validate the blogId,blogname,userid,username,blogdomain
> fields
Coming soon.
> addcommentaction uses HttpVars::getRequest() need to look into that
> more. allows html, need to verify the filters are getting rid
> of javascript, etc. I believe they are.
nope. I'll look into more restrictive filtering. Is there any
reason why we would want to allow javascript to be posted in a comment? I
think we currently strip out 'normal' javascript, but with 10 or 20
seconds of thinking about it, got some javascript to post successfully.
Posts probably allow javascript too. We'll probably need a preference for
that, since probably some people want javascript allowed, but blog hosters
probably don't.
> adminaddresourcealbumaction: Why was _form->registerField used?
Maybe the action->registerField didn't used to exist. Doesn't
matter.
More information about the pLog-svn
mailing list