JC: Since you only sanitize html-messages and not the others how do you prevent injection of malicious cookies? Your message-tile is: <p tal:repeat="message view/messages" class="message ${message/type}">${message/message}</p>. How does that escape normal messages but not html-messages?
I'm confused. Philip Am 24.08.2012 um 12:42 schrieb Philip Bauer <ba...@starzel.de>: > Hi JC; > > thanks for the explanation. It makes sense to me now. > If you released is as an addon I would welcome it. It might also be worth a > PLIP. > > Philip > > > Am 24.08.2012 um 11:46 schrieb Jan-Carel Brand <li...@opkode.com>: > >> On Fri, 2012-08-24 at 11:22 +0200, Philip Bauer wrote: >>> oops. good thing i'm not part of the security-team. how about doing the >>> transform on decoding the cookie as default? >>> >>> @JC: why do you use htmllaundry instead of portal_transforms? >> >> portal_transforms is also an option. >> >> The safe_html transform however allows many more tags (such as video, >> audio) and we only wanted to allow 5 tags. >> >> Also, users can add more allowed tags, so might inadvertently open up an >> attack vector. >> >> I guess I could have registered a new transform but we we're already >> using htmllaundry and it was quick and easy. >> >>> And why a custom messagekey? >> >> Since it's an override, I wanted to make it explicit. I.e you HAVE to >> use addHTML to add rich messages. >> >> The HTML messages need to be casted to literals so that Chameleon will >> render them and not just display the markup as text, but you don't want >> the same for plain text messages. >> >> >>> Am 24.08.2012 um 10:45 schrieb Richard Mitchell >>> <richard.j.mitch...@gmail.com>: >>> >>>> Philip: If one relies on the data being cleaned before it is set in the >>>> cookie, it could be manipulated afterwards, or completely separately to >>>> contain something more dangerous. >>>> >>>> On Aug 24, 2012 9:09 AM, "Philip Bauer" <ba...@starzel.de> wrote: >>>> How about cleaning the message before saving as a coockie? >>>> >>>> Would adding something like >>>> message = portal_transforms.convertTo('text/x-html-safe', self.message, >>>> mimetype='text/-x-web-intelligent') >>>> to Products.statusmessages.message.Message.encode be ok? >>>> >>>> Philip >>>> >>>> Am 23.08.2012 um 18:50 schrieb Matthew Wilkes <m...@matthewwilkes.name>: >>>> >>>>> >>>>> >>>>> Philip Bauer wrote: >>>>>> I changed this by customizing the template. Might there be a better way? >>>>>> Or might it be a good idea to change this template by default? >>>>> >>>>> I would be hesitant to change this by default, as it means that if a >>>>> malicious user can get cookies set for another user they can insert >>>>> arbitrary HTML. >>>>> >>>>> Matt >>>> >>>> _______________________________________________ >>>> Product-Developers mailing list >>>> product-develop...@lists.plone.org >>>> https://lists.plone.org/mailman/listinfo/plone-product-developers >>> >>> _______________________________________________ >>> Product-Developers mailing list >>> product-develop...@lists.plone.org >>> https://lists.plone.org/mailman/listinfo/plone-product-developers >> >> > > _______________________________________________ > Product-Developers mailing list > product-develop...@lists.plone.org > https://lists.plone.org/mailman/listinfo/plone-product-developers _______________________________________________ Product-Developers mailing list product-develop...@lists.plone.org https://lists.plone.org/mailman/listinfo/plone-product-developers