[pLog-svn] r6582 - plog/branches/lifetype-1.2/class/action/admin
Jon Daley
plogworld at jon.limedaley.com
Sat Jun 21 12:16:06 EDT 2008
I guess you'll need to explain this again to me. See the next
checkin. Because these values aren't validated, I can cause XSS
problems to occur.
On Thu, 19 Jun 2008, Jon Daley wrote:
> Ah, yes, I hadn't realized they were all checkboxes. I am thinking
> that in 2.0 we should change request->getValue to not be able to return a
> value if it isn't validated. That way it will be impossible to have any
> further security issues, (except for errors in the validators, and developer
> errors in picking the wrong validator).
>
> On Thu, 19 Jun 2008, Mark Wu wrote:
>> For example, the value from checkbox.
>>
>> We don't need to validate it, we just use:
>>
>> $checked = ( $this->_$request->getValue("blahblah") != "" );
>>
>> So, we don't care about the value it self, we just care about the value
>> assigned or not.
>>
>> This kind of value, we don't validate it.
>>
>>> -----Original Message-----
>>> From: plog-svn-bounces at devel.lifetype.net
>>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>>> Sent: Thursday, June 19, 2008 11:41 PM
>>> To: LifeType Developer List
>>> Subject: Re: [pLog-svn] r6582 -
>>> plog/branches/lifetype-1.2/class/action/admin
>>>
>>> On Thu, 19 Jun 2008, Mark Wu wrote:
>>>> registerField() only used in addXXXAction, it will bring
>>> the value(the
>>>> value no need to validate) back to _form.
>>> Ok, maybe I am starting to understand it. Why doesn't
>>> it need to be validated?
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://limedaley.com/mailman/listinfo/plog-svn
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>>
>
>
--
Jon Daley
http://jon.limedaley.com
~~
We should be less concerned making churches full of people
and more concerned about making people full of God.
-- C. Kirk Hadawy and David Roozen
More information about the pLog-svn
mailing list