[Building Sakai] SAK-17171/KNL-66 (plain text handling)

Stephen Marquard stephen.marquard at uct.ac.za
Tue Jan 12 12:08:02 PST 2010 

IMO, we should follow this set of rules:

1. For fields that are always plain text, store as-is in the database, escape on output 
2. For fields that are entered in rich text, sanitize on input, store formatted, display as-is
3. For fields that may be entered in plain text or rich text, escape or sanitize on input depending on input type, store formatted, display as-is.

escape = convert for example < to &lt;

sanitize = check for an acceptable set of tags, escape the rest (e.g. <script> gets escaped to &lt;script&gt; <strong> is unchanged) OR input not matching the validation rules is rejected and not stored (with some appropriate UI behaviour).

Cheers
Stephen

>>> Anthony Whyte <arwhyte at umich.edu> 1/12/2010 9:32 PM >>> 
Lydia--There is no definitive "do this/don't do this" statement  
regarding plain text handling in Sakai other than what you might  
surmise from reading the Javadocs.  However, see the 22 December  
thread.  What do you plan to do regarding SAK-17171 and how long do  
you expect your rework to take?

http://n2.nabble.com/Building-Sakai-2-6-2-SAK-17171-Botimer-vs-Botimer-td4205175.html

My view is that in certain/many cases we should be storing plain text  
input raw without escaping it and then sanitizing it when responding  
to a request.  However, there are numerous fields where escaping plain  
text input appears to me warranted (names, addresses, etc.). This I  
believe is also the view of Botimer, Zeckoski and Marquard.  Bear in  
mind that escaping text when responding to a request may tax web  
servers differently than when sanitizing text as part of a form  
submission.

The question of plain text input/output handling is an important one  
and we have yet to proceed beyond the pre-Holiday discussion to  
articulate (and enforce) a general practice.

This issue raises concerns relative to the 2.5.6/2.6.2 releases (2.7.0  
as well).  Do we block the impending maintenance releases until we  
have resolved the questions raised by SAK-17171/KNL-66?

Cheers,

Anth


On Jan 12, 2010, at 1:55 PM, Lydia Li wrote:

> Anthony,
>   In light of the discussion for SAK-17171, we are looking into  
> doing some rework on our earlier fixes and we'd like to get the  
> fixes into 2.6.2. Just wanted to give you a heads up.
>
>   Btw, was there a solution to SAK-17171 or KNL-66?  I followed the  
> thread but didn't see a definitive solution for it.  I thought you  
> might have more intimate knowledge on the progress of those bugs.
>
> thanks,
> Lydia
>
>
>
>

_______________________________________________
sakai-dev mailing list
sakai-dev at collab.sakaiproject.org
http://collab.sakaiproject.org/mailman/listinfo/sakai-dev

TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"

More information about the sakai-dev mailing list