On Thu, Aug 23, 2012 at 7:21 PM, Encolpe Degoute
wrote:
> Le 21/08/2012 12:15, Jens W. Klein a écrit :
>> On 2012-08-20 12:26, encolpe.dego...@free.fr wrote:
>>> Hello,
>>>
>>> We need a new release for collective.flowplayer: several bugs
>>> were fix during the last year and several flowplayer ve
On Thu, 2012-08-23 at 15:29 -0600, Sean Upton wrote:
> On Thu, Aug 23, 2012 at 10:50 AM, Matthew Wilkes
> wrote:
> > I would be hesitant to change this by default, as it means that if a
> > malicious user can get cookies set for another user they can insert
> > arbitrary HTML.
>
> It would be awf
How about cleaning the message before saving as a coockie?
Would adding something like
message = portal_transforms.convertTo('text/x-html-safe', self.message,
mimetype='text/-x-web-intelligent')
to Products.statusmessages.message.Message.encode be ok?
Philip
Am 23.08.2012 um 18:50 schrieb Mat
Philip: If one relies on the data being cleaned before it is set in the
cookie, it could be manipulated afterwards, or completely separately to
contain something more dangerous.
On Aug 24, 2012 9:09 AM, "Philip Bauer" wrote:
> How about cleaning the message before saving as a coockie?
>
> Would a
oops. good thing i'm not part of the security-team. how about doing the
transform on decoding the cookie as default?
@JC: why do you use htmllaundry instead of portal_transforms? And why a custom
messagekey?
Philip
Am 24.08.2012 um 10:45 schrieb Richard Mitchell :
> Philip: If one relies on
On Fri, 2012-08-24 at 11:22 +0200, Philip Bauer wrote:
> oops. good thing i'm not part of the security-team. how about doing the
> transform on decoding the cookie as default?
>
> @JC: why do you use htmllaundry instead of portal_transforms?
portal_transforms is also an option.
The safe_html
Hi JC;
thanks for the explanation. It makes sense to me now.
If you released is as an addon I would welcome it. It might also be worth a
PLIP.
Philip
Am 24.08.2012 um 11:46 schrieb Jan-Carel Brand :
> On Fri, 2012-08-24 at 11:22 +0200, Philip Bauer wrote:
>> oops. good thing i'm not part of
On 8/21/12 10:23 PM, Alex Clark wrote:
FYI:
- https://github.com/collective/Products.PloneOntology
Thanks Alex!
Great to see that PloneOntology is still alive :-)
Raphael (who's team had initially written this years ago)
- https://github.com/collective/p4a.ploneevent
Alex
___
JC: Since you only sanitize html-messages and not the others how do you prevent
injection of malicious cookies?
Your message-tile is: ${message/message}. How does that escape normal messages
but not html-messages?
I'm confused.
Philip
Am 24.08.2012 um 12:42 schrieb Philip Bauer :
> Hi JC;
>
I didn't know that. Now I get it.
Am 24.08.2012 um 14:21 schrieb Jan-Carel Brand :
> Chameleon checks for this and calls __html__ if it exists,
> otherwise it calls __str__ (which is escaped).
___
Product-Developers mailing list
product-develop...@list
When you fix this, are you also looking into ways to make it easy to
check if pull request authors have signed an agreement? I know of one
(minor) pull request from an author that does not have signed the
agreement and I am not sure what to do (I also wouldn't care but it
seems some do care and I f
On Friday, August 24, 2012 at 11:30 AM, Elizabeth Leddy wrote:
> On Aug 24, 2012, at 12:26 PM, Patrick Gerken wrote:
>
> > When you fix this, are you also looking into ways to make it easy to
> > check if pull request authors have signed an agreement? I know of one
> > (minor) pull request from
12 matches
Mail list logo
