Chris, a (perhaps) stupid question
Why do you call the policy constraint "accept"? You call the constraint "accept", and validate if it is not set. Why not call the policy constraint "validate", and only validate when it is set? I'm not arguing about which way the default is, just about how much information I have to keep in my head. If you call the constraint "accept" then I need to remember that this is what governs the validation policy. If you call the constraint "validate", then it is obvious what it does. Not a big deal, but I am curious as to your underlying reasoning. Martin 2009/6/16 [email protected] <[email protected]>: > > On Jun 16, 12:16 am, mahemoff <[email protected]> wrote: >> Thanks for the update Chris. The flexible validation model makes sense >> - in the medium-to-long term I would also like to see TiddlyWeb ship >> with a default validator that allows for general HTML content, that >> does the usual Javascript stripping, matching HTML tags, and so on. >> Perhaps one that is easily configurable wrt which tags (and possibly >> attributes) it can take. Last I checked, this is a fairly common thing >> for sanitisation libraries to offer, so what I'm suggesting is a >> validator that is simply an adaptor into an existing sanitisation >> library. > > Based on poking around on the tinternets, the preferred tool is > html5lib which has a subclassable sanitizer built in, so I'll be > looking into that. > > However, its important to keep in mind that in the tiddler situation > we've got more than "general HTML content" to consider. Sometime we > want to remove systemConfig tags, or reject tiddlers that look like > plugins, that sort of thing. > > And more confusingly we've got input coming in that may be posing as > an image (having content type image/png) but not actually being that > content. I assume there are some vectors in which someone could > deposit a binary tiddler and wreak havoc. Basically things are made > more complicated by content being stored on the end of a generic PUT > rather than a CGI form submission. > > These things are not really in my ken, which is part of why I'm making > the system easy to extend. I'm hoping that people with a bit more > expertise in this area will contribute. I am doing some reading up, > however. > > As an aside: it's my expectation that there will also be loops for > validating PUT recipes and bags as well (one area that will need > sanitization is recipe and bag descriptions). > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TiddlyWikiDev" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/TiddlyWikiDev?hl=en -~----------~----~----~----~------~----~------~--~---
