incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Janne Jalkanen <Janne.Jalka...@ecyrd.com>
Subject Re: Edit-related hash fields?
Date Wed, 04 Mar 2009 21:33:00 GMT
> How big of an issue is this any more? Does this change if we require
> accept-charset="UTF-8" on all our forms? Just wondering if we need to
> carry this into 3.0.

The problem is that badly behaving clients will behave badly  
regardless of what accept-charset says. So I'd rather keep it. There  
are still plenty of broken clients out there.

>> 2) An input field with a random name. This means that a bot will  
>> need to
>> actually GET the form first and parse it out before it can send
>> syntactically correct POSTs.  This is a LOT more effort than just  
>> simply
>> looking at the fields once and crafting your auto-poster to conform.
>
> This feels like a fairly standard anti-CSRF approach, although you
> didn't call it that per se.

No, 'cos I thought about it before I heard about CSRF ;-)

>> That is an interesting approach! It's a "honey pot" field,
> essentially. That's a little less amenable to a framework-level fix,
> unless we patch the Stripes FormTag class. If not, a simple custom Tag
> class would probably be better than the inline scriptlet stuff we are
> doing now.

Well, we could have a simple <wiki:SpamFilterFields /> in there  
somewhere which could insert all of these.

/Janne

Mime
View raw message