On Wed, Feb 23, 2011 at 4:55 AM, Alessandro Molina < [email protected]> wrote:
> Having a tool like that is indeed useful for TG. > I'll take a look at it as soon as possible. > As in past time I did some work on tgext pieces let me know if there > is anything that I can do to help with > http://turbogears.flow.io/task/14/#post14 > The worst part is that I'm not entirely sure what I *mean* by that item. It could be as little as "make a tg2ext repository on SF and get all of them migrated into there" or it could mean "get CI working and everything fully tested for each release for each of the major tgext pieces". I'm open for suggestions on direction :) Just a reflection. > You are now using a regexp to escape script tags, wouldn't having the > standard genshi ${} escape support be a better solution? > Developer could probably still be able put tags inside the error by > explicitly using genshi.Markup() inside its messages. > I thought about that, actually. Simply remove the XML() call (and, in fact, it was one of my attempts). However, that doesn't work, especially in the case of genshi.Markup(), not for this case. The problem stems from the fact that message is a parameter to the page, and can be passed in the URL. When that happens, a crafty user can create a bad URL with anything he wants inside of it. So, if genshi.Markup() passes markup back, then it can pass back script tags. If script tags are there, then the problem can occur. So, we can't rely on genshi.Markup(). If we remove the ability to prevent XML processing (remove the XML() call), then developers cannot mark up their error message at all. We have to safely shut down any incoming script tags in their entirety. The only remaining option I could find was to replace <script with <noscript. Then I tried it with mixed case: <ScRiPt also resulted in working javascript being passed in with FF4.0b11. That left me with two options: A series of .replace calls to catch every case variation on both script and noscript (since I have to match the tag, as script could be valid in the message itself), or use a regex to replace. In the end, I went for the regex. It was the best I could find. If there is something better *and* that addresses the issue entirely, I'll take it. I just don't think there is this time. > If you need a server for the TG project let me know. I think I can > arrange to donate one to the TG project. > Actually, we're quite covered there. Florent has a server which we're going to switch several pieces over to. We're going to use SF for what we can, and migrate our infrastructure over to SF when it's better capable of handling the pieces that it cannot handle right now. > If one more person is needed I have time and interest to volunteer, > just let me know. > Thank you. I'm adding you on the list of mentors now. > This makes me also think about one thing... let me know your opinion. > People usually tend to approach frameworks that provide a CMS > application as the CMS is usually the first thing that they see that > uses the framework, currently TG is missing an "official" one. That > could be a good GSOC project. > Well, there are many options ACR, C5T, and tgext.pages. I'd rather have one of those get worked on instead of a whole new one. I'd also like to see some of the other pieces of the puzzle built before tackling the CMS situation. Having standardized ways to provide user management, configuration settings, and the like, would be a good thing. However, I also know that we don't get to entirely pick the project that any candidate would be working on, so I'll add CMS (including links for the above three) onto the ideas page. -- Michael J. Pedersen My IM IDs: Jabber/[email protected], ICQ/103345809, AIM/pedermj022171 Yahoo/pedermj2002, MSN/[email protected] -- You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en.
