Philip: If one relies on the data being cleaned before it is set in the
cookie, it could be manipulated afterwards, or completely separately to
contain something more dangerous.
On Aug 24, 2012 9:09 AM, "Philip Bauer" <[email protected]> wrote:
> How about cleaning the message before saving as a coockie?
>
> Would adding something like
> message = portal_transforms.convertTo('text/x-html-safe', self.message,
> mimetype='text/-x-web-intelligent')
> to Products.statusmessages.message.Message.encode be ok?
>
> Philip
>
> Am 23.08.2012 um 18:50 schrieb Matthew Wilkes <[email protected]>:
>
> >
> >
> > Philip Bauer wrote:
> >> I changed this by customizing the template. Might there be a better
> way? Or might it be a good idea to change this template by default?
> >
> > I would be hesitant to change this by default, as it means that if a
> malicious user can get cookies set for another user they can insert
> arbitrary HTML.
> >
> > Matt
>
> _______________________________________________
> Product-Developers mailing list
> [email protected]
> https://lists.plone.org/mailman/listinfo/plone-product-developers
>
_______________________________________________
Product-Developers mailing list
[email protected]
https://lists.plone.org/mailman/listinfo/plone-product-developers
