httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Gruno <>
Subject Re: Comment system, take two
Date Wed, 23 May 2012 02:47:10 GMT
On 05/22/2012 11:25 PM, Rainer Jung wrote:
> I like it.
> +1
> Concerning production readyness, some points come to mind:
> - Did you pay attention on escaping problematic input? I saw some
> escaping, but didn't thoroughly test it. We don't want XSS and such.
Yes, because the text is inserted using Document.CreateTextNode, all
that is injected is pure text - HTML tags and the likes should not be
possible to inject in any way other than as pure text. Special tags like
<, >, \ etc are escaped in advance, but this is just so it will display
the characters and not make them invisible. No HTML should be injectable.

> - Is there some safety against brute force password hacking for the
> registered people, especially the moderators? E.g. locking accounts
> after a few wrong passwords.
Yup, more than 5 bad attempts will start making it difficult for you to
try logging in.
> - Since we want to host it later inside ASF infra: what are the infra
> requirements? It seems the server part is written in Lua? Is it based
> on httpd 2.4 with mod_lua, or just Lua in CGI scripts or similar?
Gee, what gave it away? ;)
Right now it's written in Lua yes (should anyone be interested in the
source code, I'd be happy to provide a link to it), and run on 2.4.2
with mod_pLua (a distant cousin to mod_lua that offers me a bit more
flexibility as well as access to POST data*hint hint*). One of the nice
things about writing it in Lua is that it is quite easy to port it to
other languages such as php or perl, should this be needed. The scripts
themselves are quite small, since most of the work is done via JavaScript.

I have already asked Tony if we could host this on httpd.a.o, and the
answer was a kind no since it would require enabling php or mod_plua for
the site, which would either (in the case of plua) be something new and
untested or (in the case of php) bloat up the server. So, while we get
all that sorted out, I'm more than happy to host it myself.

Having said that, it would indeed be nice if we could find somewhere on
infra where this could be hosted, so we could also share the tool with
other sites wishing to incorporate comments in their system.

> Thanks!
> Rainer
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
With regards,

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message