Hi JC; thanks for the explanation. It makes sense to me now. If you released is as an addon I would welcome it. It might also be worth a PLIP.
Philip Am 24.08.2012 um 11:46 schrieb Jan-Carel Brand <[email protected]>: > On Fri, 2012-08-24 at 11:22 +0200, Philip Bauer wrote: >> oops. good thing i'm not part of the security-team. how about doing the >> transform on decoding the cookie as default? >> >> @JC: why do you use htmllaundry instead of portal_transforms? > > portal_transforms is also an option. > > The safe_html transform however allows many more tags (such as video, > audio) and we only wanted to allow 5 tags. > > Also, users can add more allowed tags, so might inadvertently open up an > attack vector. > > I guess I could have registered a new transform but we we're already > using htmllaundry and it was quick and easy. > >> And why a custom messagekey? > > Since it's an override, I wanted to make it explicit. I.e you HAVE to > use addHTML to add rich messages. > > The HTML messages need to be casted to literals so that Chameleon will > render them and not just display the markup as text, but you don't want > the same for plain text messages. > > >> Am 24.08.2012 um 10:45 schrieb Richard Mitchell >> <[email protected]>: >> >>> Philip: If one relies on the data being cleaned before it is set in the >>> cookie, it could be manipulated afterwards, or completely separately to >>> contain something more dangerous. >>> >>> On Aug 24, 2012 9:09 AM, "Philip Bauer" <[email protected]> wrote: >>> How about cleaning the message before saving as a coockie? >>> >>> Would adding something like >>> message = portal_transforms.convertTo('text/x-html-safe', self.message, >>> mimetype='text/-x-web-intelligent') >>> to Products.statusmessages.message.Message.encode be ok? >>> >>> Philip >>> >>> Am 23.08.2012 um 18:50 schrieb Matthew Wilkes <[email protected]>: >>> >>>> >>>> >>>> Philip Bauer wrote: >>>>> I changed this by customizing the template. Might there be a better way? >>>>> Or might it be a good idea to change this template by default? >>>> >>>> I would be hesitant to change this by default, as it means that if a >>>> malicious user can get cookies set for another user they can insert >>>> arbitrary HTML. >>>> >>>> Matt >>> >>> _______________________________________________ >>> Product-Developers mailing list >>> [email protected] >>> https://lists.plone.org/mailman/listinfo/plone-product-developers >> >> _______________________________________________ >> Product-Developers mailing list >> [email protected] >> https://lists.plone.org/mailman/listinfo/plone-product-developers > > _______________________________________________ Product-Developers mailing list [email protected] https://lists.plone.org/mailman/listinfo/plone-product-developers
