[pLog-svn] r6524 - plog/branches/lifetype-1.2/class/data/forms

Jon Daley plogworld at jon.limedaley.com
Mon Jun 9 07:38:19 EDT 2008 

 	I like all of the changes, but I am unsure about this one.  If 
there is something wrong with the data, I think I would rather see a blank 
field than a field that has been modified.  Both from a developer's and 
user's standpoint.
 	One argument for displaying the filtered value from the user's 
standpoint is if they accidentally typed in HTML and didn't mean to, then 
we take care of it.
 	However, since we don't know what sort of validation was supposed 
to be done on this field, perhaps filtering HTML isn't the right answer, 
and I would rather blank it out, than have either bad data passed to the 
user, or some security hole that we haven't thought of yet.  The user can 
usually hit the back button if you are worried about him recovering data.
 	Passing back unknown data to the user seems like a bad idea.

On Mon, 9 Jun 2008, mark at devel.lifetype.net wrote:

> Author: mark
> Date: 2008-06-09 04:00:51 -0400 (Mon, 09 Jun 2008)
> New Revision: 6524
>
> Modified:
>   plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php
> Log:
> We still need the value but filtered with Textfilter::filterAllHTML()
>
> Modified: plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php
> ===================================================================
> --- plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php	2008-06-09 07:32:35 UTC (rev 6523)
> +++ plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php	2008-06-09 08:00:51 UTC (rev 6524)
> @@ -110,6 +110,10 @@
> 				$this->_validationResults["$fieldName"] = $validationResult;
> 				if($validationResult)
> 					$this->_fieldValues["$fieldName"] = $fieldValue;
> +				else {
> +					lt_include( PLOG_CLASS_PATH."class/data/textfilter.class.php" );
> +					$this->_fieldValues["$fieldName"] = Textfilter::filterAllHTML( $fieldValue );
> +				}
>
> 				// if one of the validations is false, then cancel the whole thing
> 				$finalValidationResult = $finalValidationResult && $validationResult;
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com
~~
What happens if you get scared half to death twice?

More information about the pLog-svn mailing list