[pLog-svn] r6469 - plog/branches/lifetype-1.2/class/data/forms

Jon Daley plogworld at jon.limedaley.com
Sat May 24 12:39:57 EDT 2008


 	That was easier than I thought, though it took a while to find 
this.  setCommonData(true) is being called from the errorvalidation code, 
which passes through unvalidated data.  We could set that to false, but 
then all data (including validated data) would be erased when redisplaying 
a form when encountering a validation error for any field.


On Sat, 24 May 2008, jondaley at devel.lifetype.net wrote:

> Author: jondaley
> Date: 2008-05-24 12:38:24 -0400 (Sat, 24 May 2008)
> New Revision: 6469
>
> Modified:
>   plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php
> Log:
> I think this fixes XSS issues, at least as long as registerFieldValidator is appropriately set.  Check the documentation http://wiki.lifetype.net/index.php/Forms_and_data_validation where the system was designed to display unvalidated data.
>
> Modified: plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php
> ===================================================================
> --- plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php	2008-05-18 11:31:21 UTC (rev 6468)
> +++ plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php	2008-05-24 16:38:24 UTC (rev 6469)
> @@ -108,7 +108,8 @@
> 				}
>
> 				$this->_validationResults["$fieldName"] = $validationResult;
> -				$this->_fieldValues["$fieldName"] = $fieldValue;
> +				if($validationResult)
> +					$this->_fieldValues["$fieldName"] = $fieldValue;
>
> 				// if one of the validations is false, then cancel the whole thing
> 				$finalValidationResult = $finalValidationResult && $validationResult;
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com/

What happens if you get scared half to death twice?


More information about the pLog-svn mailing list