On Fri, 2012-08-24 at 11:22 +0200, Philip Bauer wrote: > oops. good thing i'm not part of the security-team. how about doing the > transform on decoding the cookie as default? > > @JC: why do you use htmllaundry instead of portal_transforms?
portal_transforms is also an option. The safe_html transform however allows many more tags (such as video, audio) and we only wanted to allow 5 tags. Also, users can add more allowed tags, so might inadvertently open up an attack vector. I guess I could have registered a new transform but we we're already using htmllaundry and it was quick and easy. > And why a custom messagekey? Since it's an override, I wanted to make it explicit. I.e you HAVE to use addHTML to add rich messages. The HTML messages need to be casted to literals so that Chameleon will render them and not just display the markup as text, but you don't want the same for plain text messages. > Am 24.08.2012 um 10:45 schrieb Richard Mitchell > <[email protected]>: > > > Philip: If one relies on the data being cleaned before it is set in the > > cookie, it could be manipulated afterwards, or completely separately to > > contain something more dangerous. > > > > On Aug 24, 2012 9:09 AM, "Philip Bauer" <[email protected]> wrote: > > How about cleaning the message before saving as a coockie? > > > > Would adding something like > > message = portal_transforms.convertTo('text/x-html-safe', self.message, > > mimetype='text/-x-web-intelligent') > > to Products.statusmessages.message.Message.encode be ok? > > > > Philip > > > > Am 23.08.2012 um 18:50 schrieb Matthew Wilkes <[email protected]>: > > > > > > > > > > > Philip Bauer wrote: > > >> I changed this by customizing the template. Might there be a better way? > > >> Or might it be a good idea to change this template by default? > > > > > > I would be hesitant to change this by default, as it means that if a > > > malicious user can get cookies set for another user they can insert > > > arbitrary HTML. > > > > > > Matt > > > > _______________________________________________ > > Product-Developers mailing list > > [email protected] > > https://lists.plone.org/mailman/listinfo/plone-product-developers > > _______________________________________________ > Product-Developers mailing list > [email protected] > https://lists.plone.org/mailman/listinfo/plone-product-developers _______________________________________________ Product-Developers mailing list [email protected] https://lists.plone.org/mailman/listinfo/plone-product-developers
