[Product-Developers] Links in StatusMessages

Jan-Carel Brand lists at opkode.com
Fri Aug 24 09:46:16 UTC 2012 

On Fri, 2012-08-24 at 11:22 +0200, Philip Bauer wrote:
> oops. good thing i'm not part of the security-team. how about doing the transform on decoding the cookie as default? 
> 
> @JC: why do you use htmllaundry instead of portal_transforms? 

portal_transforms is also an option. 

The safe_html transform however allows many more tags (such as video,
audio) and we only wanted to allow 5 tags.

Also, users can add more allowed tags, so might inadvertently open up an
attack vector. 

I guess I could have registered a new transform but we we're already
using htmllaundry and it was quick and easy.

> And why a custom messagekey?

Since it's an override, I wanted to make it explicit. I.e you HAVE to
use addHTML to add rich messages.

The HTML messages need to be casted to literals so that Chameleon will
render them and not just display the markup as text, but you don't want
the same for plain text messages.


> Am 24.08.2012 um 10:45 schrieb Richard Mitchell <richard.j.mitchell at gmail.com>:
> 
> > Philip: If one relies on the data being cleaned before it is set in the cookie, it could be manipulated afterwards, or completely separately to contain something more dangerous.
> > 
> > On Aug 24, 2012 9:09 AM, "Philip Bauer" <bauer at starzel.de> wrote:
> > How about cleaning the message before saving as a coockie?
> > 
> > Would adding something like
> > message = portal_transforms.convertTo('text/x-html-safe', self.message, mimetype='text/-x-web-intelligent')
> > to Products.statusmessages.message.Message.encode be ok?
> > 
> > Philip
> > 
> > Am 23.08.2012 um 18:50 schrieb Matthew Wilkes <matt at matthewwilkes.name>:
> > 
> > >
> > >
> > > Philip Bauer wrote:
> > >> I changed this by customizing the template. Might there be a better way? Or might it be a good idea to change this template by default?
> > >
> > > I would be hesitant to change this by default, as it means that if a malicious user can get cookies set for another user they can insert arbitrary HTML.
> > >
> > > Matt
> > 
> > _______________________________________________
> > Product-Developers mailing list
> > Product-Developers at lists.plone.org
> > https://lists.plone.org/mailman/listinfo/plone-product-developers
> 
> _______________________________________________
> Product-Developers mailing list
> Product-Developers at lists.plone.org
> https://lists.plone.org/mailman/listinfo/plone-product-developers

More information about the Product-Developers mailing list