[pLog-svn] r6943 - in plog/branches/lifetype-1.2/class: action data/forms
jondaley at devel.lifetype.net
jondaley at devel.lifetype.net
Wed Jan 6 13:50:24 EST 2010
Author: jondaley
Date: 2010-01-06 13:50:24 -0500 (Wed, 06 Jan 2010)
New Revision: 6943
Modified:
plog/branches/lifetype-1.2/class/action/action.class.php
plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php
Log:
removed some extraneous quotes. Thinking about not displaying invalidated data back to the user, as bug #1623 says it causes XSS
Modified: plog/branches/lifetype-1.2/class/action/action.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/action/action.class.php 2010-01-06 18:49:36 UTC (rev 6942)
+++ plog/branches/lifetype-1.2/class/action/action.class.php 2010-01-06 18:50:24 UTC (rev 6943)
@@ -260,7 +260,7 @@
// in case we'd like to copy the values from the form
$fieldValues = $this->_form->getFieldValues();
foreach( $fieldValues as $fieldName => $fieldValue ) {
- $this->_view->setValue( "$fieldName", $fieldValue );
+ $this->_view->setValue( $fieldName, $fieldValue );
}
}
return true;
Modified: plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php 2010-01-06 18:49:36 UTC (rev 6942)
+++ plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php 2010-01-06 18:50:24 UTC (rev 6943)
@@ -107,19 +107,22 @@
$validationResult = $fieldValidatorClass->validate( $fieldValue );
}
- $this->_validationResults["$fieldName"] = $validationResult;
- if($validationResult)
- $this->_fieldValues["$fieldName"] = $fieldValue;
+ $this->_validationResults[$fieldName] = $validationResult;
+ if($validationResult){
+ $this->_fieldValues[$fieldName] = $fieldValue;
+ }
else {
- // Note: Display unvalidated data back to user, filtering out HTML
- lt_include( PLOG_CLASS_PATH."class/data/textfilter.class.php" );
- $this->_fieldValues["$fieldName"] = Textfilter::filterAllHTML( $fieldValue );
+ // don't ever display unvalidated data - that causes XSS issues.
+ lt_include( PLOG_CLASS_PATH."class/data/textfilter.class.php" );
+ $this->_fieldValues["$fieldName"] = Textfilter::filterAllHTML( $fieldValue );
+
+// $this->_fieldValues[$fieldName] = "";
}
// if one of the validations is false, then cancel the whole thing
$finalValidationResult = $finalValidationResult && $validationResult;
}
-
+
// the form has already run
$this->_formHasRun = true;
More information about the pLog-svn
mailing list