Re: [Myghty-users] "safe" method contents
Brought to you by:
zzzeek
From: Michael B. <mi...@my...> - 2006-02-06 04:59:45
|
If you are having untrusted users create text and submit it, I would say not to have that text embedded directly into a myghty template at all. What are they really trying to accomplish ? Is it an authoring system of some kind ? If theyre truly not trusted, but need some kind of variable-substitution capability id advise embedding some other system for that, like HTMLTemplate. On Feb 5, 2006, at 9:58 PM, David Geller wrote: > Hi, > > We are having users create text, which we then place in a myghty > template - each blob of text into a method. The stuff is then > processed by other methods subsequently. > > What is necessary to prevent users from inserting potential malware > in these text blobs? > > So far I have: > > 1. Filter/escape all lines starting with a % > 2. Filter/escape all <% %> constructs > 3. Filter/escape all <& &> constructs > > Am I missing something, or will this render the text "safe"? > > > Another question which occured to me after reading Ben Bangert's > Artima posts was if Myghty templates, in general, are "unsafe": > would there be a way to limit what a user could do in a template? > My answer is that it would not be easy, but I am curious what Mike > and others say... > > Thanks! > > David > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through > log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD > SPLUNK! > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > Myghty-users mailing list > Myg...@li... > https://lists.sourceforge.net/lists/listinfo/myghty-users |