On Thu, 2012-08-23 at 15:29 -0600, Sean Upton wrote: > On Thu, Aug 23, 2012 at 10:50 AM, Matthew Wilkes > <[email protected]> wrote: > > I would be hesitant to change this by default, as it means that if a > > malicious user can get cookies set for another user they can insert > > arbitrary HTML. > > It would be awfully convenient to have sanitized rich-text in the > messages though? I want to even just style some text in them or bold > some part of the message. Surely there is a cross-site-attack-proof > way to handle these narrow cases, maybe cleaning the cookie value > prior to insertion as HTML? Ideas?
I did this for NuPlone (with some tips from Wichert). In plonetheme.nuplone I subclassed the default IStatusMessage to provide an addHTML method. https://github.com/euphorie/NuPlone/blob/master/plonetheme/nuplone/adapter.py In the overriden "show" method, I used htmllaundry's sanitize method to clean up the markup and then cast the strings to literals so that Chameleon will render them properly. http://pypi.python.org/pypi/htmllaundry/1.10 The sanitizer will remove all javascript and keep only the HTML elements you tell it to (in this case a, b, strong, blockquote, span). At the time I was wondering if I should release it as an add-on. I'm happy to do that if the interest is there. JC _______________________________________________ Product-Developers mailing list [email protected] https://lists.plone.org/mailman/listinfo/plone-product-developers
