On Wed, May 25, 2011 at 08:54, Bogdan Marinov <[email protected]> wrote: > On Wed, May 25, 2011 at 9:45 AM, Fabien Chéreau > <[email protected]> wrote: >> On Wed, May 25, 2011 at 03:52, Alexander Wolf <[email protected]> wrote: >>> 2011/5/25 Fabien Chéreau <[email protected]>: >>>> This approach has several advantages: it will be much easier for >>>> contributors to translate the website, it will be easier to manage >>>> updates, the whole code will be stored in the main Stellarium bzr. >>> >>> I would prefer not to load a website in the main repository of >>> Stellarium's. >> >> Why? If the doc and wiki directories are omitted it would add only 4mb. > > It may be a source of conflicts when merging branches into the trunk. > The less merge conflicts, the better. > >>>> 2- There may be some security issues by allowing untrusted people to >>>> edit the translated website content in launchpad (like injection of >>>> javascipt etc..). A solution could be to allow only trusted people to >>>> edit the translations on launchpad, but unfortunately the permissions >>>> management for project translation in LP is unfortunately not very >>>> flexible and as far as I understood, I don't think it's possible. >>> >>> This issue is being addressed through changes policy permissions for >>> the translation project - >> >> I don't see how. >> >>> but you can not specify different policies >>> for different "domain's" within one project. >> >> It's another problem yes. > > I suggest using the existing stellarium-website project, though I > don't see how we can avoid code injection. Perhaps using the PHP > script that includes the text to strip tags? If this is going to be a > security vulnerability, I suggest abandoning the plan. Our website is > visited by a lot of people.
I agree. Possible technical solutions are as you said to strip tags: e.g. with http://php.net/manual/en/function.strip-tags.php or by escaping HTML special characters http://www.php.net/manual/en/function.htmlspecialchars.php The only problem is that we need to allow for certain tags like <a> because their position is language dependent, so we also need to make sure they don't contain attribute with javascript, like onclick. Fab > Regards, > Bogdan Marinov > > ------------------------------------------------------------------------------ > vRanger cuts backup time in half-while increasing security. > With the market-leading solution for virtual backup and recovery, > you get blazing-fast, flexible, and affordable data protection. > Download your free trial now. > http://p.sf.net/sfu/quest-d2dcopy1 > _______________________________________________ > Stellarium-pubdevel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/stellarium-pubdevel > ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1 _______________________________________________ Stellarium-pubdevel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/stellarium-pubdevel
