[Building Sakai] SAK-17171/KNL-66 (plain text handling)
Anthony Whyte
arwhyte at umich.edu
Tue Jan 12 11:32:35 PST 2010
Lydia--There is no definitive "do this/don't do this" statement
regarding plain text handling in Sakai other than what you might
surmise from reading the Javadocs. However, see the 22 December
thread. What do you plan to do regarding SAK-17171 and how long do
you expect your rework to take?
http://n2.nabble.com/Building-Sakai-2-6-2-SAK-17171-Botimer-vs-Botimer-td4205175.html
My view is that in certain/many cases we should be storing plain text
input raw without escaping it and then sanitizing it when responding
to a request. However, there are numerous fields where escaping plain
text input appears to me warranted (names, addresses, etc.). This I
believe is also the view of Botimer, Zeckoski and Marquard. Bear in
mind that escaping text when responding to a request may tax web
servers differently than when sanitizing text as part of a form
submission.
The question of plain text input/output handling is an important one
and we have yet to proceed beyond the pre-Holiday discussion to
articulate (and enforce) a general practice.
This issue raises concerns relative to the 2.5.6/2.6.2 releases (2.7.0
as well). Do we block the impending maintenance releases until we
have resolved the questions raised by SAK-17171/KNL-66?
Cheers,
Anth
On Jan 12, 2010, at 1:55 PM, Lydia Li wrote:
> Anthony,
> In light of the discussion for SAK-17171, we are looking into
> doing some rework on our earlier fixes and we'd like to get the
> fixes into 2.6.2. Just wanted to give you a heads up.
>
> Btw, was there a solution to SAK-17171 or KNL-66? I followed the
> thread but didn't see a definitive solution for it. I thought you
> might have more intimate knowledge on the progress of those bugs.
>
> thanks,
> Lydia
>
>
>
>
More information about the sakai-dev
mailing list