On Saturday 31 August 2002 12:46, Matthew wrote: > > On Sat, Aug 31, 2002 at 12:33:58AM -0400, Gianni Johansson wrote: > > On Friday 30 August 2002 08:57, Matthew wrote: > > > > On Thu, Aug 29, 2002 at 01:57:03PM +0100, Matthew Toseland wrote: > > > > Hi. Newly implemented fproxy functionality allows you to fetch an old > > > > edition of a DBR site, like this: > > > > http://127.0.0.1:8888/SSK@rBjVda8pC-Kq04jUurIAb8IzAGcPAgM/TFE//?date= > > > >2002 0817 > > > > You don't need to change the anonymity filter. Just add support for a > > date specifier in fproxy that doesn't use any illegal characters, similar > > to to the external checked jump stuff. > > > > e.g. > > http://127.0.0.1:8888/__USE_DATE_20020817__SSK@rBjVda8pC-Kq04jUurIAb8IzAG > >cPAgM/TFE// > > Ugh. The anonymity filter blocks all links, both outlinks and links > within freenet, which have ? in them...
> this is a problem for several sites Why? Are there cases besides the one I outlined below? If we allowed escaped ?, : and & in checked jumps would that make content authors happy or are there other issues? As far as internal content goes, I don't think that allowing content authors to pass arbitrary arguments to fproxy is a good idea, at least not without warning first. For example, I don't think that content authors should be able to override the htl I set without fproxy asking me. Another issue would be preventing the case of a freesite making a link that causes local files to be inserted into freenet without warning you... > Can it indicate javascript, or is this just to stop links within > freenet from messing with the fproxy parameters? Can we safely allow ?'s > in external links then? I think there was some issue with escape sequences that would allow you to generate dangerous html but I can't remember. The debate on the filter went on for months and months. I would be really careful about changing it unless you are sure you know what you are doing. [ Aside: Could someone (Ian? agl?) get the old mailing list archives back on line so newer developpers have access to ancient freenet dev chronicles. ] The only place I have seen ? (and also ":" ) cause problems is in legal checked jumps. e.g. /__CHECKED_HTTP__hawk.freenetproject.org:8890/ Trips the anonyimity filter even though it's safe. The easy conservative thing to do is to create legal escapes. So the above example would become: /__CHECKED_HTTP__hawk.freenetproject.org__COLON__8890/ the filter wouldn't trip when the page was loaded. When the user clicks on the link, they would get the usual warning message, with the escapes still in the url (that way fproxy is *never* rendering html that might have dangerous characters). If they clicked through then fproxy would generate a redirect to the external page with the escapes unescaped. -- gj _______________________________________________ devl mailing list [EMAIL PROTECTED] http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl
