[pLog-svn] r6943 - in plog/branches/lifetype-1.2/class: action data/forms

jondaley at devel.lifetype.net jondaley at devel.lifetype.net
Wed Jan 6 13:50:24 EST 2010


Author: jondaley
Date: 2010-01-06 13:50:24 -0500 (Wed, 06 Jan 2010)
New Revision: 6943

Modified:
   plog/branches/lifetype-1.2/class/action/action.class.php
   plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php
Log:
removed some extraneous quotes.  Thinking about not displaying invalidated data back to the user, as bug #1623 says it causes XSS

Modified: plog/branches/lifetype-1.2/class/action/action.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/action/action.class.php	2010-01-06 18:49:36 UTC (rev 6942)
+++ plog/branches/lifetype-1.2/class/action/action.class.php	2010-01-06 18:50:24 UTC (rev 6943)
@@ -260,7 +260,7 @@
 				// in case we'd like to copy the values from the form
 				$fieldValues = $this->_form->getFieldValues();
 				foreach( $fieldValues as $fieldName => $fieldValue ) {
-					$this->_view->setValue( "$fieldName", $fieldValue );
+					$this->_view->setValue( $fieldName, $fieldValue );
 				}
 			}
 			return true;

Modified: plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php	2010-01-06 18:49:36 UTC (rev 6942)
+++ plog/branches/lifetype-1.2/class/data/forms/formvalidator.class.php	2010-01-06 18:50:24 UTC (rev 6943)
@@ -107,19 +107,22 @@
 					$validationResult = $fieldValidatorClass->validate( $fieldValue );
 				}
 				
-				$this->_validationResults["$fieldName"] = $validationResult;
-				if($validationResult)
-					$this->_fieldValues["$fieldName"] = $fieldValue;
+				$this->_validationResults[$fieldName] = $validationResult;
+				if($validationResult){
+					$this->_fieldValues[$fieldName] = $fieldValue;
+                }
 				else {
-                        // Note: Display unvalidated data back to user, filtering out HTML
-					lt_include( PLOG_CLASS_PATH."class/data/textfilter.class.php" );
-					$this->_fieldValues["$fieldName"] = Textfilter::filterAllHTML( $fieldValue );
+                        // don't ever display unvalidated data - that causes XSS issues.
+                    lt_include( PLOG_CLASS_PATH."class/data/textfilter.class.php" );
+                    $this->_fieldValues["$fieldName"] = Textfilter::filterAllHTML( $fieldValue );
+                    
+//					$this->_fieldValues[$fieldName] = "";
 				}
 				
 				// if one of the validations is false, then cancel the whole thing
 				$finalValidationResult = $finalValidationResult && $validationResult;				
 			}
-			
+
 			// the form has already run
 			$this->_formHasRun = true;
 			



More information about the pLog-svn mailing list