trac ticket 866 <http://trac.tiddlywiki.org/ticket/866> discusses the
need for server-side sanitation and validation of tiddler content.
My latest tiddlyweb commit to github starts work on a prototype for
such things. I'd appreciate some comments from interested parties. The
commit can be viewed at:
<http://github.com/tiddlyweb/tiddlyweb/commit/
2e471d0bf8f6d81f9b3f91e37b2a535935ab683e>
One of my concerns was, as usual, to make this extensible and
flexible, while also making it possible to have it not there at all
(as I feel too much validation runs contrary to the Wiki way). I think
what I've built gets this, but please confirm or deny as needed. I
also tried to take into account some of the comments in earlier
threads on this topic.
The basic architecture goes like this:
* There is a new constraint on policies called "accept". Like most of
the other constraints this is a list which can take roles, usernames,
and the special values "NONE" and "ANY". "accept" in this context
means "for the people in this list" accept the content without
sanitation or validation. The empty list means accept for everyone.
"ANY" means accept for any authenticated user. "NONE" means never
accept for anyone.
* When content is not accepted, it is passed into a validator system.
The tiddler and the current WSGI environment are provided to a list of
methods which either modify the current tiddler (e.g. disabling any
javascript, or cancelling a strange content type, or removing curse
words, etc) or raises "InvalidTiddlerError" if the tiddler is not
worth having.
* If the exception is raised it is reraised as an HTTP 409 (conflict)
that is sent to the user agent.
* If no exception is raised the now modified tiddler is saved to the
store.
* The validator methods are kept in an extensible module level list
called TIDDLER_VALIDATORS. At the moment it is empty, but this will
change soon enough.
In the commit reference above are two validators in the new test files
that demonstrate in the simplest way possible how things can work.
I hope this message makes some sense and the implementation as well.
If there is no sense to be found here, do let me know so I can
straighten things out.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TiddlyWikiDev" group.
To post to this group, send email to TiddlyWikiDev@googlegroups.com
To unsubscribe from this group, send email to
tiddlywikidev+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/TiddlyWikiDev?hl=en
-~----------~----~----~----~------~----~------~--~---
