Re: [Pas-dev] css (security)

[Kyle R . B. <mo...@vo...>]

> Yes, but what if you never plan on using that? :)

True. True.

> It absolutely should be configurable. Just like the include file
> datecheck stuff. 

Great.

> And it doesnt need to be angle brackets we worry about. We can look for
> /\<\s*script/ whatever... this is why I'm asking. :)
> 
> An optional 'block the skript kiddies' filter might be nice. 

Ah, I wasn't thinking that way.  Give the hampster a minute to get
the wheel craked all the way up.

> Correct. Again, we could have several choices. And hopefully some user
> contributed filters as well. 

That would rock.

> I'm afraid you're off on the angle bracket thing. That was only one of
> my half baked ideas. The other was deterministicly looking for 
> <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>
> The angle bracket thing was my over simplified method for dealing with
> them. 

I like this.  That would be a nice filter to have.  This would be an
inbound filter for query data correct?  I am liking this more and more...

> If developers _want_ to pass these along, then in my mind thats no
> different than complaining something isnt suid. If you want to disable
> the safety, fine. But dont complain to me when you shoot yourself in the
> foot. Thats all.

Ok, we do it as an optional input filter with the default behavior being
set to on.  If they turn it off, that's their descision.

> Ok, so a plugin you can optionally turn off that looks for the tags
> mentioned in the cert advisory
> (http://www.cert.org/advisories/CA-2000-02.html) then?

+1


You konw if we have this feature, it'll set our product apart from
most of the other web development systems out there...


Thanks for the idea Jason!

Kyle

-- 

------------------------------------------------------------------------------
Wisdom and Compassion are inseparable.
        -- Christmas Humphreys
mo...@vo...                            http://www.voicenet.com/~mortis
------------------------------------------------------------------------------