<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16640" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008>Before more further
discussion, I think we should make these terms very clear
...</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN
class=312460901-06052008></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008>1. In lifetype the
http request include POST, GET and COOKIE, we always get it from
Httpvars::getRequest(), it is raw data, we don't do anything with it, just merge
them.</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN
class=312460901-06052008></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008>2. In lifetype
actions and views, we have an private attribute $_request, the $_request is the
instance of Request, it is a wrapper of Httpvars::getRequest() with
consideration of magic quote. That's means we only remove the slahes in raw
requests.</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008></SPAN></FONT><FONT
face=新細明體 size=2><SPAN class=312460901-06052008></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008>3. FieldValidators:
Only available in actions. In lifetype we don't have model validator, only have
action validator. We just check the the value is valid or not. If not, it will
carry the all the form values to error view or next view. (Without filter or
anything).</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN
class=312460901-06052008></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008>4. Filters: Can
used in actions & views, because we always can get the filtered value from
$_request->getFilteredValue( 'name', new HtmlFilter ). The filtered value
does not save back to $_request .</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN
class=312460901-06052008></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008>I think the most XSS
problem occurs in those fields with:</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN
class=312460901-06052008></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008>1.
registerFiledValidator( 'name', new StringValidator() )</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN
class=312460901-06052008></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008>2. registerFiled
without validator</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN
class=312460901-06052008></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008>3. the error value we
return without escape or filter</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN
class=312460901-06052008></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008>How to prevent XSS, I
think there should be some easier way and does not refactor a
lot.</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN
class=312460901-06052008></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008>1. Replace all
Httpvars::getRequest in actions and views with $_request</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN
class=312460901-06052008></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008>2. extend the
StringValidator to StringValidator ( $allowHtml == false) and allow it to
check the string is plain text only or html. for example, we can
use</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN
class=312460901-06052008></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN
class=312460901-06052008>registerFiledValidator( 'postText', new
StringValidator( true ) ) in postText and <SPAN
class=312460901-06052008>registerFiledValidator( 'name', new StringValidator() )
in blogName. I think it can solve 90% problems without any bug
refactor</SPAN></SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008><SPAN
class=312460901-06052008></SPAN></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008><SPAN
class=312460901-06052008>3. extend the registerFiledValidator, allow it to
escape/filter/blahblah the request value and save to $request if the value is
invalid. Therefore, the value we get in smarty template is
escaped/filterd/blahblah ...</SPAN></SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008><SPAN
class=312460901-06052008></SPAN></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=312460901-06052008><SPAN
class=312460901-06052008>4. Replace registerFiled to registerFiledValidator as
possible as we can ...</SPAN></SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN
class=312460901-06052008></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN
class=312460901-06052008>Mark</SPAN></FONT></DIV></BODY></HTML>