Hi Laurence
Betreff: Re: [Zope-dev] CSRF protection for z3c.form
On 4 April 2011 19:16, Roger d...@projekt01.ch wrote:
Hi Shane
-Ursprüngliche Nachricht-
Von: Shane Hathaway [mailto:sh...@hathawaymix.org]
Gesendet: Montag, 4. April 2011 19:54
An: d...@projekt01.ch
Cc
On 4/6/11 7:43 PM, Roger wrote:
[..]
I think to protect the form is just a part of a concept.
Another part must be to prevent to inject JavaScript in
user generated content. If an application allows to post
JS in a blog post or comment etc. it should be possible to
use easydmx to read and
On 6 April 2011 18:43, Roger d...@projekt01.ch wrote:
Hi Laurence
Betreff: Re: [Zope-dev] CSRF protection for z3c.form
On 4 April 2011 19:16, Roger d...@projekt01.ch wrote:
Hi Shane
-Ursprüngliche Nachricht-
Von: Shane Hathaway [mailto:sh...@hathawaymix.org]
Gesendet: Montag
Hi Laurence
Betreff: Re: [Zope-dev] CSRF protection for z3c.form
On 6 April 2011 18:43, Roger d...@projekt01.ch wrote:
Hi Laurence
Betreff: Re: [Zope-dev] CSRF protection for z3c.form
On 4 April 2011 19:16, Roger d...@projekt01.ch wrote:
Hi Shane
-Ursprüngliche
On 6 April 2011 22:24, Roger d...@projekt01.ch wrote:
Hi Laurence
Betreff: Re: [Zope-dev] CSRF protection for z3c.form
On 6 April 2011 18:43, Roger d...@projekt01.ch wrote:
Hi Laurence
Betreff: Re: [Zope-dev] CSRF protection for z3c.form
On 4 April 2011 19:16, Roger d...@projekt01
Hi Laurence, Stephan
Betreff: Re: [Zope-dev] CSRF protection for z3c.form
On Wednesday, April 06, 2011, Laurence Rowe wrote:
def update(self):
super(Form, self).update()
self.updateActions()
self.authenticateSubmission()
self.actions.execute
] CSRF protection for z3c.form
On 04/04/2011 10:22 AM, Roger wrote:
Just because you can write login forms with z3c.form this
package has
nothing to do with authentication. That's just a form framework!
Authentication is defently not a part
of our z3c.form framework and should not become
On 4 April 2011 16:53, Stephan Richter srich...@cosmos.phy.tufts.edu wrote:
On Monday, April 04, 2011, Laurence Rowe wrote:
The authenticator is described on
http://pypi.python.org/pypi/plone.protect, but basically it adds an
HMAC-SHA signed token into the form submission. By validating this
I've been looking into how we might add CSRF protection to z3c.form forms as
we will be including z3c.form in Plone 4.1. Currently in Plone, we use
plone.protect to add an authentication token to our forms and then check the
token in the methods that get called. (plone.protect is BSD licensed, but
On Monday, April 04, 2011, Laurence Rowe wrote:
I'd be interested to know how other z3c.form users approach CSRF protection
and what approach they would recommend.
Hi Lawrence,
I am okay with (1), but find (3) ore attractive. Since I am not familiar with
the token solution to avoid CSRF
On 4 April 2011 14:57, Stephan Richter srich...@cosmos.phy.tufts.edu wrote:
On Monday, April 04, 2011, Laurence Rowe wrote:
I'd be interested to know how other z3c.form users approach CSRF protection
and what approach they would recommend.
Hi Lawrence,
I am okay with (1), but find (3) ore
On Monday, April 04, 2011, Laurence Rowe wrote:
The authenticator is described on
http://pypi.python.org/pypi/plone.protect, but basically it adds an
HMAC-SHA signed token into the form submission. By validating this you
know that the submission came from a form that your site rendered,
to do with the z3c.form library? Did I miss
something?
Regards
Roger Ineichen
-Ursprüngliche Nachricht-
Von: zope-dev-boun...@zope.org
[mailto:zope-dev-boun...@zope.org] Im Auftrag von Laurence Rowe
Gesendet: Montag, 4. April 2011 15:37
An: zope-dev
Betreff: [Zope-dev] CSRF
On 2011-4-4 18:22, Roger wrote:
Hi Laurence, Stephan
Just because you can write login forms with
z3c.form this package has nothing to do with
authentication. That's just a form framework!
Authentication is defently not a part
of our z3c.form framework and should not
become one.
Why do
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/04/2011 12:23 PM, Wichert Akkerman wrote:
On 2011-4-4 18:22, Roger wrote:
Hi Laurence, Stephan
Just because you can write login forms with
z3c.form this package has nothing to do with
authentication. That's just a form framework!
On 04/04/2011 10:22 AM, Roger wrote:
Just because you can write login forms with
z3c.form this package has nothing to do with
authentication. That's just a form framework!
Authentication is defently not a part
of our z3c.form framework and should not
become one.
Why do you think
Hi Shane
-Ursprüngliche Nachricht-
Von: Shane Hathaway [mailto:sh...@hathawaymix.org]
Gesendet: Montag, 4. April 2011 19:54
An: d...@projekt01.ch
Cc: 'Laurence Rowe'; 'zope-dev'; stephan.rich...@gmail.com
Betreff: Re: [Zope-dev] CSRF protection for z3c.form
On 04/04/2011 10:22
Hi Stephan
Betreff: Re: AW: [Zope-dev] CSRF protection for z3c.form
On Monday, April 04, 2011, Roger wrote:
Authentication is defently not a part
of our z3c.form framework and should not become one.
Why do you think authentication has something to do with
the z3c.form
library
18 matches
Mail list logo