[Product-Developers] Links in StatusMessages

Philip Bauer bauer at starzel.de
Fri Aug 24 10:42:48 UTC 2012


Hi JC;

thanks for the explanation. It makes sense to me now. 
If you released is as an addon I would welcome it. It might also be worth a PLIP. 

Philip


Am 24.08.2012 um 11:46 schrieb Jan-Carel Brand <lists at opkode.com>:

> On Fri, 2012-08-24 at 11:22 +0200, Philip Bauer wrote:
>> oops. good thing i'm not part of the security-team. how about doing the transform on decoding the cookie as default? 
>> 
>> @JC: why do you use htmllaundry instead of portal_transforms? 
> 
> portal_transforms is also an option. 
> 
> The safe_html transform however allows many more tags (such as video,
> audio) and we only wanted to allow 5 tags.
> 
> Also, users can add more allowed tags, so might inadvertently open up an
> attack vector. 
> 
> I guess I could have registered a new transform but we we're already
> using htmllaundry and it was quick and easy.
> 
>> And why a custom messagekey?
> 
> Since it's an override, I wanted to make it explicit. I.e you HAVE to
> use addHTML to add rich messages.
> 
> The HTML messages need to be casted to literals so that Chameleon will
> render them and not just display the markup as text, but you don't want
> the same for plain text messages.
> 
> 
>> Am 24.08.2012 um 10:45 schrieb Richard Mitchell <richard.j.mitchell at gmail.com>:
>> 
>>> Philip: If one relies on the data being cleaned before it is set in the cookie, it could be manipulated afterwards, or completely separately to contain something more dangerous.
>>> 
>>> On Aug 24, 2012 9:09 AM, "Philip Bauer" <bauer at starzel.de> wrote:
>>> How about cleaning the message before saving as a coockie?
>>> 
>>> Would adding something like
>>> message = portal_transforms.convertTo('text/x-html-safe', self.message, mimetype='text/-x-web-intelligent')
>>> to Products.statusmessages.message.Message.encode be ok?
>>> 
>>> Philip
>>> 
>>> Am 23.08.2012 um 18:50 schrieb Matthew Wilkes <matt at matthewwilkes.name>:
>>> 
>>>> 
>>>> 
>>>> Philip Bauer wrote:
>>>>> I changed this by customizing the template. Might there be a better way? Or might it be a good idea to change this template by default?
>>>> 
>>>> I would be hesitant to change this by default, as it means that if a malicious user can get cookies set for another user they can insert arbitrary HTML.
>>>> 
>>>> Matt
>>> 
>>> _______________________________________________
>>> Product-Developers mailing list
>>> Product-Developers at lists.plone.org
>>> https://lists.plone.org/mailman/listinfo/plone-product-developers
>> 
>> _______________________________________________
>> Product-Developers mailing list
>> Product-Developers at lists.plone.org
>> https://lists.plone.org/mailman/listinfo/plone-product-developers
> 
> 



More information about the Product-Developers mailing list