JC: Since you only sanitize html-messages and not the others how do you prevent
injection of malicious cookies?
Your message-tile is: <p tal:repeat="message view/messages" class="message
${message/type}">${message/message}</p>. How does that escape normal messages
but not html-messages?
I'm confused.
Philip
Am 24.08.2012 um 12:42 schrieb Philip Bauer <ba...@starzel.de>:
> Hi JC;
>
> thanks for the explanation. It makes sense to me now.
> If you released is as an addon I would welcome it. It might also be worth a
> PLIP.
>
> Philip
>
>
> Am 24.08.2012 um 11:46 schrieb Jan-Carel Brand <li...@opkode.com>:
>
>> On Fri, 2012-08-24 at 11:22 +0200, Philip Bauer wrote:
>>> oops. good thing i'm not part of the security-team. how about doing the
>>> transform on decoding the cookie as default?
>>>
>>> @JC: why do you use htmllaundry instead of portal_transforms?
>>
>> portal_transforms is also an option.
>>
>> The safe_html transform however allows many more tags (such as video,
>> audio) and we only wanted to allow 5 tags.
>>
>> Also, users can add more allowed tags, so might inadvertently open up an
>> attack vector.
>>
>> I guess I could have registered a new transform but we we're already
>> using htmllaundry and it was quick and easy.
>>
>>> And why a custom messagekey?
>>
>> Since it's an override, I wanted to make it explicit. I.e you HAVE to
>> use addHTML to add rich messages.
>>
>> The HTML messages need to be casted to literals so that Chameleon will
>> render them and not just display the markup as text, but you don't want
>> the same for plain text messages.
>>
>>
>>> Am 24.08.2012 um 10:45 schrieb Richard Mitchell
>>> <richard.j.mitch...@gmail.com>:
>>>
>>>> Philip: If one relies on the data being cleaned before it is set in the
>>>> cookie, it could be manipulated afterwards, or completely separately to
>>>> contain something more dangerous.
>>>>
>>>> On Aug 24, 2012 9:09 AM, "Philip Bauer" <ba...@starzel.de> wrote:
>>>> How about cleaning the message before saving as a coockie?
>>>>
>>>> Would adding something like
>>>> message = portal_transforms.convertTo('text/x-html-safe', self.message,
>>>> mimetype='text/-x-web-intelligent')
>>>> to Products.statusmessages.message.Message.encode be ok?
>>>>
>>>> Philip
>>>>
>>>> Am 23.08.2012 um 18:50 schrieb Matthew Wilkes <m...@matthewwilkes.name>:
>>>>
>>>>>
>>>>>
>>>>> Philip Bauer wrote:
>>>>>> I changed this by customizing the template. Might there be a better way?
>>>>>> Or might it be a good idea to change this template by default?
>>>>>
>>>>> I would be hesitant to change this by default, as it means that if a
>>>>> malicious user can get cookies set for another user they can insert
>>>>> arbitrary HTML.
>>>>>
>>>>> Matt
>>>>
>>>> _______________________________________________
>>>> Product-Developers mailing list
>>>> product-develop...@lists.plone.org
>>>> https://lists.plone.org/mailman/listinfo/plone-product-developers
>>>
>>> _______________________________________________
>>> Product-Developers mailing list
>>> product-develop...@lists.plone.org
>>> https://lists.plone.org/mailman/listinfo/plone-product-developers
>>
>>
>
> _______________________________________________
> Product-Developers mailing list
> product-develop...@lists.plone.org
> https://lists.plone.org/mailman/listinfo/plone-product-developers
_______________________________________________
Product-Developers mailing list
product-develop...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-product-developers
