Forum OpenACS Q&A: Copenhagen - noquote and csrf

Collapse
Posted by Dirk Gomez on

Participants: Don Baccus, Jeff Davis, Peter Marklund, Dirk Gomez

We squeezed this into 10 minutes because there is a consensus that OpenACS needs noquote and csrf protection. In short:

Noquote is about changing the quoting behaviour of the templating system: it the next release content from the database will be html-quoted by default. (See here https://openacs.org/forums/message-view?message_id=81157)

csrf protection is about making sure that a request is not a (potentially malicious) cross site request. (https://openacs.org/forums/message-view?message_id=32884)

I already worked on "noquote"-ing a HEAD OpenACS 4.7 as a proof of concept. However we decided that work will begin from scratch once the bug fixes from the recent 4.6 releases have been merged into HEAD - this is scheduled to be finished end of April 2003.

I will then reapply the sed oneliners and the notes I took while working on the above mentioned system. The changed OpenACS code will then be committed quickly and remaining quoting bugs need to be fixed by the community at large.

Jeff already changed the form handler to include a tag that prevents changing prefetched database ids. Ths will be expanded to becoming the csrf protection.

Collapse
Posted by Jade Rubick on
I've poked through all the references, and I'm still not clear on what noquote does. How does it change the quoting behavior of the templating system?
Collapse
Posted by Tilmann Singer on
As far as I know, it means that by default any text being displayed on a html page is automatically html quoted. So when you have a 'less than' sign in your tcl string, it will automatically be converted into the appropriate html entitiy in the adp page. This default quoting can be explicitely switched off for individual strings if required. 'noquote' is a bit of a misnomer, it should propably be 'quotebydefault' or something like that.
Collapse
Posted by Andrew Piskorski on
A search turns up quite a lot of good info on noquote in these Forums. E.g.: one, two, three.