[Zope-CMF] Undo interface

Chris Withers chrisw@nipltd.com
Tue, 26 Jun 2001 12:55:59 +0100

Shane Hathaway wrote:
> Chris Withers wrote:
> >
> > Shane Hathaway wrote:
> > >
> > > I think there would be security implications in what you propose.  I could
> > > be wrong.
> >
> > What would they be?
> - Putting HTML or JavaScript in the transaction description.

I wouldn't suggest allowing that, just allowing you to put your own short
comment in, in plain text:
'This was copied to that' or 'This document edited' rather than the terse URL
form of normal transaction comments.

> - Putting too much data in the notes.

Can you expand on this?

> - Clearing or replacing the note after cracking something.

Hmmm... you mean giving a hacker the ability to replace the note after they've
cracked something? Can they not do this already?
I agree its at a bit more of an exposed level if we let CMF developers change

> But these can all be dealt with.  Now what's the priority (since the
> main problem, where strange notes were added unnecessarily, has already
> been fixed)?

Not high, but would certainly gvie the CMF a more polished feel.