Re: [ic] Interpolate vs restrict

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ic] Interpolate vs restrict

Subject: Re: [ic] Interpolate vs restrict
Date: Wed, 8 Mar 2006 13:33:36 -0500
From: Mike Heins <suppressed>

Quoting Elver Loho (suppressed):
> On 3/8/06, Mike Heins <suppressed> wrote:
> > Quoting Elver Loho (suppressed):
> > > We're using the 'get-url' tag with interpolate="0".
> > >
> > > Is there any way to tell interpolate to only parse certain tags like L
> > > and LC in the returned content?
> >
> > L and LC are not tags. You would need to use [loc].
> 
> Wow, wait. Explain that once more. How do we handle localisation,
> then? I mean, we use L and LC for localisation right now. (We're still
> using version 5.0)

Look at the docs for locale. [L] happens before any tags, and for performance
reasons it is a straight substitution. It would be way too much of a performance
drag if it was parsed.

I think we are talking about moving to gettext in some form, but this.

> 
> > > We could use [restrict policy=deny enable='L LC'], but that would be
> > > dangerous as anyone could simply insert [/restrict] in the content.
> >
> > Have you tried that? It should not work as long as you do:
> >
> >     [restrict policy=deny enable="loc get_url"]
> >             [get-url url="http://foo.com"; reparse=1]
> >     [/restrict]
> >
> > A [/restrict] in the returned content will not do anything.
> 
> That seems to work. Thanks. Although, hm, won't that enable cross-site
> scripting by inserting [get-url ...] stuff in the page returned by
> get-url? We're including a PHP-based forum, so...

Theoretically, but it would not allow anything except nested URLs (and
translations). It would be hard to exploit for other than a denial-of-
service, and hard to find even then.

> 
> > An interesting feature might be a standard restrict specification
> > for tag reparse.
> 
> I second that!
> 

Another interesting feature would be a one-time tag allowance, i.e.

	[restrict policy=deny enable="loc" one-time="get_url"]
		[get-url ...]
	[/restrict]

After the first use, get-url would be disabled.

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.647.1295  tollfree 800-949-1889 <suppressed>

Be patient. God isn't finished with me yet.  -- unknown
_______________________________________________
interchange-users mailing list
suppressed
http://www.icdevgroup.org/mailman/listinfo/interchange-users

References:
- [ic] Interpolate vs restrict
  - From: Elver Loho
- Re: [ic] Interpolate vs restrict
  - From: Mike Heins
- Re: [ic] Interpolate vs restrict
  - From: Elver Loho

Prev by Date: Re: [ic] Interpolate vs restrict
Next by Date: Re: [ic] Default language
Previous by thread: Re: [ic] Interpolate vs restrict
Next by thread: [ic] Interchange login
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.