oops. good thing i'm not part of the security-team. how about doing the
transform on decoding the cookie as default?
@JC: why do you use htmllaundry instead of portal_transforms? And why a custom
messagekey?
Philip
Am 24.08.2012 um 10:45 schrieb Richard Mitchell <richard.j.mitch...@gmail.com>:
> Philip: If one relies on the data being cleaned before it is set in the
> cookie, it could be manipulated afterwards, or completely separately to
> contain something more dangerous.
>
> On Aug 24, 2012 9:09 AM, "Philip Bauer" <ba...@starzel.de> wrote:
> How about cleaning the message before saving as a coockie?
>
> Would adding something like
> message = portal_transforms.convertTo('text/x-html-safe', self.message,
> mimetype='text/-x-web-intelligent')
> to Products.statusmessages.message.Message.encode be ok?
>
> Philip
>
> Am 23.08.2012 um 18:50 schrieb Matthew Wilkes <m...@matthewwilkes.name>:
>
> >
> >
> > Philip Bauer wrote:
> >> I changed this by customizing the template. Might there be a better way?
> >> Or might it be a good idea to change this template by default?
> >
> > I would be hesitant to change this by default, as it means that if a
> > malicious user can get cookies set for another user they can insert
> > arbitrary HTML.
> >
> > Matt
>
> _______________________________________________
> Product-Developers mailing list
> product-develop...@lists.plone.org
> https://lists.plone.org/mailman/listinfo/plone-product-developers
_______________________________________________
Product-Developers mailing list
product-develop...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-product-developers
