[pLog-svn] r6582 - plog/branches/lifetype-1.2/class/action/admin

Jon Daley plogworld at jon.limedaley.com
Sat Jun 21 12:16:06 EDT 2008


 	I guess you'll need to explain this again to me.  See the next 
checkin.  Because these values aren't validated, I can cause XSS 
problems to occur.

On Thu, 19 Jun 2008, Jon Daley wrote:

> 	Ah, yes, I hadn't realized they were all checkboxes.  I am thinking 
> that in 2.0 we should change request->getValue to not be able to return a 
> value if it isn't validated.  That way it will be impossible to have any 
> further security issues, (except for errors in the validators, and developer 
> errors in picking the wrong validator).
>
> On Thu, 19 Jun 2008, Mark Wu wrote:
>> For example, the value from checkbox.
>> 
>> We don't need to validate it, we just use:
>> 
>> $checked = ( $this->_$request->getValue("blahblah")  != "" );
>> 
>> So, we don't care about the value it self, we just care about the value
>> assigned or not.
>> 
>> This kind of value, we don't validate it.
>> 
>>> -----Original Message-----
>>> From: plog-svn-bounces at devel.lifetype.net
>>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>>> Sent: Thursday, June 19, 2008 11:41 PM
>>> To: LifeType Developer List
>>> Subject: Re: [pLog-svn] r6582 -
>>> plog/branches/lifetype-1.2/class/action/admin
>>> 
>>> On Thu, 19 Jun 2008, Mark Wu wrote:
>>>> registerField() only used in addXXXAction, it will bring
>>> the value(the
>>>> value no need to validate) back to _form.
>>>  	Ok, maybe I am starting to understand it.  Why doesn't
>>> it need to be validated?
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://limedaley.com/mailman/listinfo/plog-svn
>> 
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>> 
>
>

-- 
Jon Daley
http://jon.limedaley.com
~~
We should be less concerned making churches full of people
and more concerned about making people full of God.
-- C. Kirk Hadawy and David Roozen


More information about the pLog-svn mailing list