We were asking for postal code (optional) on registration.
The purpose was to let projects study
the geographical distribution of their volunteers.
But AFAIK no one ever did this,
and some volunteers have said (understandably, I think)
that asking for postal code seems like an invasion of privacy.
So I conditioned the postal-code code on a boolean constant POSTAL_CODE.
If you put
define('POSTAL_CODE', true);
in your html/project/project.inc, you'll get the old behavior.
Otherwise users won't see postal-code related stuff any more.
compute capability 3.x.
Not sure if the parameters are right
(128 cores/proc, 2 flops/clock)
but they're better than nothing.
- web: don't allow user names that have leading or trailing white space,
or HTML tags, or are empty
svn path=/trunk/boinc/; revision=25485
and team names are represented.
In particular, edit_user_info_action.php was using
htmlentities() on names; this led to double-encoding.
The new rules:
1) no HTML tags allowed in either one.
This is enforced silently, using strip_tags()
2) names are stored in the DB exactly as entered.
They may contain chars like & and >.
They may contain non-ASCII characters
(use UTF-8 if you want them displayed correctly).
None of these are not escaped.
3) When the names are put in XML
(e.g. in scheduler reply or db_dump output)
they are XML-escaped.
This escapes <, &, and non-ASCII chars
4) The client leaves them in this form,
and writes them that way in GUI RPCs
and init_data.xml files.
5) The parsing of GUI RPC replies and init_data.xml files
XML-unescapes them.
svn path=/trunk/boinc/; revision=20647
There are two aspects:
1) undoing magic quotes (if it's being used).
This must be done for all GET and POST string inputs.
It is now done automatically by get_str() and post_str().
The places that refer to $_GET and $_POST directly
must do it themselves using undo_magic_quotes().
2) Escaping user-supplied strings before using them in DB queries.
This is done by process_user_text()
(which should be renamed db_escape_string()).
The new principle:
call process_user_text() in the function that does the DB query
(not at any higher level).
svn path=/trunk/boinc/; revision=15389
NOTE: teams that have name display issues will have to edit their description once the projects update the code.
svn path=/trunk/boinc/; revision=12691
David Anderson