[Product-Developers] Links in StatusMessages
Philip Bauer
bauer at starzel.de
Fri Aug 24 10:42:48 UTC 2012
Hi JC;
thanks for the explanation. It makes sense to me now.
If you released is as an addon I would welcome it. It might also be worth a PLIP.
Philip
Am 24.08.2012 um 11:46 schrieb Jan-Carel Brand <lists at opkode.com>:
> On Fri, 2012-08-24 at 11:22 +0200, Philip Bauer wrote:
>> oops. good thing i'm not part of the security-team. how about doing the transform on decoding the cookie as default?
>>
>> @JC: why do you use htmllaundry instead of portal_transforms?
>
> portal_transforms is also an option.
>
> The safe_html transform however allows many more tags (such as video,
> audio) and we only wanted to allow 5 tags.
>
> Also, users can add more allowed tags, so might inadvertently open up an
> attack vector.
>
> I guess I could have registered a new transform but we we're already
> using htmllaundry and it was quick and easy.
>
>> And why a custom messagekey?
>
> Since it's an override, I wanted to make it explicit. I.e you HAVE to
> use addHTML to add rich messages.
>
> The HTML messages need to be casted to literals so that Chameleon will
> render them and not just display the markup as text, but you don't want
> the same for plain text messages.
>
>
>> Am 24.08.2012 um 10:45 schrieb Richard Mitchell <richard.j.mitchell at gmail.com>:
>>
>>> Philip: If one relies on the data being cleaned before it is set in the cookie, it could be manipulated afterwards, or completely separately to contain something more dangerous.
>>>
>>> On Aug 24, 2012 9:09 AM, "Philip Bauer" <bauer at starzel.de> wrote:
>>> How about cleaning the message before saving as a coockie?
>>>
>>> Would adding something like
>>> message = portal_transforms.convertTo('text/x-html-safe', self.message, mimetype='text/-x-web-intelligent')
>>> to Products.statusmessages.message.Message.encode be ok?
>>>
>>> Philip
>>>
>>> Am 23.08.2012 um 18:50 schrieb Matthew Wilkes <matt at matthewwilkes.name>:
>>>
>>>>
>>>>
>>>> Philip Bauer wrote:
>>>>> I changed this by customizing the template. Might there be a better way? Or might it be a good idea to change this template by default?
>>>>
>>>> I would be hesitant to change this by default, as it means that if a malicious user can get cookies set for another user they can insert arbitrary HTML.
>>>>
>>>> Matt
>>>
>>> _______________________________________________
>>> Product-Developers mailing list
>>> Product-Developers at lists.plone.org
>>> https://lists.plone.org/mailman/listinfo/plone-product-developers
>>
>> _______________________________________________
>> Product-Developers mailing list
>> Product-Developers at lists.plone.org
>> https://lists.plone.org/mailman/listinfo/plone-product-developers
>
>
More information about the Product-Developers
mailing list