You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by "Chris Chabot (JIRA)" <ji...@apache.org> on 2008/06/10 17:52:45 UTC

[jira] Created: (SHINDIG-377) Remove UNPARSEABLE_CRUFT

Remove UNPARSEABLE_CRUFT
------------------------

                 Key: SHINDIG-377
                 URL: https://issues.apache.org/jira/browse/SHINDIG-377
             Project: Shindig
          Issue Type: Bug
          Components: Features (Javascript), Gadget Rendering Server (Java), Gadget Rendering Server (PHP)
            Reporter: Chris Chabot


features/core.io/io.js has the following todo (line 112):

// remove unparseable cruft.
// TODO: really remove this by eliminating it. It's not any real security
//    to begin with, and we can solve this problem by using post requests
//    and / or passing the url in the http headers.

Shall we go ahead and remove it then? Or otherwise if there is still a good reason for it being there, remove the comment?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (SHINDIG-377) Remove UNPARSEABLE_CRUFT

Posted by "Brian Eaton (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SHINDIG-377?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brian Eaton resolved SHINDIG-377.
---------------------------------

    Resolution: Fixed

Comments updated in r667892.

> Remove UNPARSEABLE_CRUFT
> ------------------------
>
>                 Key: SHINDIG-377
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-377
>             Project: Shindig
>          Issue Type: Bug
>          Components: Features (Javascript), Gadget Rendering Server (Java), Gadget Rendering Server (PHP)
>            Reporter: Chris Chabot
>
> features/core.io/io.js has the following todo (line 112):
> // remove unparseable cruft.
> // TODO: really remove this by eliminating it. It's not any real security
> //    to begin with, and we can solve this problem by using post requests
> //    and / or passing the url in the http headers.
> Shall we go ahead and remove it then? Or otherwise if there is still a good reason for it being there, remove the comment?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (SHINDIG-377) Remove UNPARSEABLE_CRUFT

Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/SHINDIG-377?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12603936#action_12603936 ] 

Kevin Brown commented on SHINDIG-377:
-------------------------------------

The latter part of the problem isn't really addressed (passing the url in headers / using POST).

I'd say we should remove the comment rather than the cruft for now.

> Remove UNPARSEABLE_CRUFT
> ------------------------
>
>                 Key: SHINDIG-377
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-377
>             Project: Shindig
>          Issue Type: Bug
>          Components: Features (Javascript), Gadget Rendering Server (Java), Gadget Rendering Server (PHP)
>            Reporter: Chris Chabot
>
> features/core.io/io.js has the following todo (line 112):
> // remove unparseable cruft.
> // TODO: really remove this by eliminating it. It's not any real security
> //    to begin with, and we can solve this problem by using post requests
> //    and / or passing the url in the http headers.
> Shall we go ahead and remove it then? Or otherwise if there is still a good reason for it being there, remove the comment?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (SHINDIG-377) Remove UNPARSEABLE_CRUFT

Posted by "Brian Eaton (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/SHINDIG-377?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12604066#action_12604066 ] 

Brian Eaton commented on SHINDIG-377:
-------------------------------------

The unparseable cruft does no harm, and does provide protection against cross site script inclusion.  We should remove the comment, not the code.

> Remove UNPARSEABLE_CRUFT
> ------------------------
>
>                 Key: SHINDIG-377
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-377
>             Project: Shindig
>          Issue Type: Bug
>          Components: Features (Javascript), Gadget Rendering Server (Java), Gadget Rendering Server (PHP)
>            Reporter: Chris Chabot
>
> features/core.io/io.js has the following todo (line 112):
> // remove unparseable cruft.
> // TODO: really remove this by eliminating it. It's not any real security
> //    to begin with, and we can solve this problem by using post requests
> //    and / or passing the url in the http headers.
> Shall we go ahead and remove it then? Or otherwise if there is still a good reason for it being there, remove the comment?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.