httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <>
Subject Re: Comment system, take two
Date Wed, 23 May 2012 07:15:39 GMT
Daniel Gruno wrote on Wed, May 23, 2012 at 04:47:10AM +0200:
> On 05/22/2012 11:25 PM, Rainer Jung wrote:
> > I like it.
> >
> > +1
> >
> > Concerning production readyness, some points come to mind:
> >
> > - Did you pay attention on escaping problematic input? I saw some
> > escaping, but didn't thoroughly test it. We don't want XSS and such.
> Yes, because the text is inserted using Document.CreateTextNode, all
> that is injected is pure text - HTML tags and the likes should not be
> possible to inject in any way other than as pure text. Special tags like
> <, >, \ etc are escaped in advance, but this is just so it will display
> the characters and not make them invisible. No HTML should be injectable.
> > - Is there some safety against brute force password hacking for the
> > registered people, especially the moderators? E.g. locking accounts
> > after a few wrong passwords.
> >
> Yup, more than 5 bad attempts will start making it difficult for you to
> try logging in.
> > - Since we want to host it later inside ASF infra: what are the infra
> > requirements? It seems the server part is written in Lua? Is it based
> > on httpd 2.4 with mod_lua, or just Lua in CGI scripts or similar?
> >
> Gee, what gave it away? ;)
> Right now it's written in Lua yes (should anyone be interested in the
> source code, I'd be happy to provide a link to it), and run on 2.4.2
> with mod_pLua (a distant cousin to mod_lua that offers me a bit more
> flexibility as well as access to POST data*hint hint*). One of the nice
> things about writing it in Lua is that it is quite easy to port it to
> other languages such as php or perl, should this be needed. The scripts
> themselves are quite small, since most of the work is done via JavaScript.
> I have already asked Tony if we could host this on httpd.a.o, and the
> answer was a kind no since it would require enabling php or mod_plua for
> the site, which would either (in the case of plua) be something new and
> untested or (in the case of php) bloat up the server. So, while we get
> all that sorted out, I'm more than happy to host it myself.

I said running php on the main webservers would very likely with a no, I didnt say it would
do that.  If the service doesnt have to run on the same vhost as the main httpd.a.o site then
we could run the service elsewhere in our infrastructure.

> Having said that, it would indeed be nice if we could find somewhere on
> infra where this could be hosted, so we could also share the tool with
> other sites wishing to incorporate comments in their system.
> > Thanks!
> >
> > Rainer
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > For additional commands, e-mail:
> >
> With regards,
> Daniel.



Tony Stevenson // //
GPG: 1024D/51047D66

View raw message