Hi Shishir, Thanks for the prompt response. I will appreciate if you can clarify few things for me. Our usernames are created using Orkut's php rest API so not sure why you would think that they are not escaped correctly. Here is code snippet we are using to create our internal usernames: $orkut->os_client->people_getUserInfo($orkut_user);.. $userProfile["displayname"] = $user_details['entry']['name'] ['givenName'].$user_details['entry']['name']['familyName'];
We do have users on our application from MySpace where their username's have special characters. Example: "Colleene<3Tarlo". Since this data comes from myspace (we also use their php api), we do not escape as they do allow special character and escaping will mess up the usernames (Colleene<3Tarlo instead Colleene<3Tarlo) that they use on myspace. So since this is not user entered data, as it comes from a opensocial api call, we have made an exception in our backend logic If you think its an issue, please let us know and we will make sure when we display this data on Orkut it's escaped properly. Thanks again for all your help. Regards, Paresh On Jul 15, 9:26 pm, "Shishir Birmiwal (Google)" <[email protected]> wrote: > Paresh, > > Your app does not escape usernames correctly and this can allow javascript > injection. > Could you please fix that and submit the app for review again? > > Thanks, > Shishir > > On Thu, Jul 16, 2009 at 3:10 AM, Paresh Joshi <[email protected]>wrote: > > > > > > > Hi, > > I received an email from Orkut regarding my application is in > > violation of some TOS: > > > "We've been playing around with your orkut application itemCASTER at > >http://www.itemcaster.com/orkut/itemcaster.xmland have some feedback > > for you. > > The app is in violation of orkut terms and conditions, e.g. throwing > > popups, posting activities or redirecting without any user > > interaction" > > > Can anyone from Orkut team let me know the specifics as I am not sure > > I am violating the TOS. There are couple of things my application does > > which may be considered as violation so just want to clarify: > > > 1. When the user first goes to Canvas page, we display an overlay (not > > a pop up) with "about information" of our app. There is close button > > to close the layover. The idea is to give new users a quick overview > > of various features of the app. > > 2. In two of our pages (in canvas view) user can add multiple items > > to their profile by clicking check boxes next to the product. Instead > > of posting activities for everytime they check on a check box, we wait > > for some time and the post. So, the activity post is not immediate but > > its for sure based on user interaction. Is this violation of TOS? > > > Any help is highly appreciated. > > Thanks! > > -- > > Marie von > Ebner-Eschenbach<http://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenbac....> > - "Even a stopped clock is right twice a day." --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Orkut Developer Forum" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/opensocial-orkut?hl=en -~----------~----~----~----~------~----~------~--~---
