Forum OpenACS Development: Re: What a forking mess: noquote hell.

Collapse
Posted by Dirk Gomez on
Forget about get and post requests. Use formbuilder and you are secured against cross-site request forgeries.

Where is the security risk in the particular request you posted Tom? Only if register were a (potentially) malicious request you had a security issue.

It is true that we need to add session tokens to a bunch of pages. See here for a post https://openacs.org/forums/message-view?message_id=32884

Collapse
Posted by Tom Jackson on

So if formbuilder protects against XSS, what extra problem does the noquote thing handle?

My example above just shows that you don't need scripting, you just need an image tag, did I really need to delete data or modify my website to prove that to you? Point is, the request is made with my privileges.

And you are absolutely right: changes can be made to form processing to handle the problem. So what was the noquote for again, especially since we are validating input?

Collapse
Posted by Jeff Davis on
You don't want to say "nohtml" for plain text fields since that means you can't use < in them. Take the forum subject field for example, you should be able to have a tag in the subject, like "<blink> should be on the list of allowed tags", but not have to worry that you will have a blinking page as a consequence. Of course you could ad_quotehtml all the plain text fields and not have noquote but given how few places this was done correctly in 4.6.3 and before I am confident that OpenACS with noquote has far fewer quoting bugs than previous versions.

Also, something like a user contribution page which shows data from lots of different packages (some of which might be missing validation like you are talking about) are much safer with automatic html quoting.

It certainly was not hard to move most of the toolkit to noquote and where it's wrong, the fix is pretty obvious so I think the lack of backward compatibility is not a big deal at all (and if you submit a patch versus 4.6.3 to make ;noquote a noop we would be happy to apply it).

Collapse
Posted by Tom Jackson on

It sounds like the noop is a good idea, I'll try it out and post a TIP, or bug/feature. I'm usually less than clear when I write. To summarize, noquote isn't a bad idea, there are other good reasons to use it, mentioned in the original documents referenced above. Upgrading my packages is a good idea, and I had already done one before I started to think, not about doing the upgrade, but about maintaining sites that can't move to 5.0 right away, but might want upgrades to my packages.