oops. good thing i'm not part of the security-team. how about doing the transform on decoding the cookie as default?
@JC: why do you use htmllaundry instead of portal_transforms? And why a custom messagekey? Philip Am 24.08.2012 um 10:45 schrieb Richard Mitchell <richard.j.mitch...@gmail.com>: > Philip: If one relies on the data being cleaned before it is set in the > cookie, it could be manipulated afterwards, or completely separately to > contain something more dangerous. > > On Aug 24, 2012 9:09 AM, "Philip Bauer" <ba...@starzel.de> wrote: > How about cleaning the message before saving as a coockie? > > Would adding something like > message = portal_transforms.convertTo('text/x-html-safe', self.message, > mimetype='text/-x-web-intelligent') > to Products.statusmessages.message.Message.encode be ok? > > Philip > > Am 23.08.2012 um 18:50 schrieb Matthew Wilkes <m...@matthewwilkes.name>: > > > > > > > Philip Bauer wrote: > >> I changed this by customizing the template. Might there be a better way? > >> Or might it be a good idea to change this template by default? > > > > I would be hesitant to change this by default, as it means that if a > > malicious user can get cookies set for another user they can insert > > arbitrary HTML. > > > > Matt > > _______________________________________________ > Product-Developers mailing list > product-develop...@lists.plone.org > https://lists.plone.org/mailman/listinfo/plone-product-developers _______________________________________________ Product-Developers mailing list product-develop...@lists.plone.org https://lists.plone.org/mailman/listinfo/plone-product-developers