#2429 - Implement better configurability in *_param_string functions
-
By Chris Graham
- Added
- 4 views
| Identifier | #2429 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | Implement better configurability in *_param_string functions |
| Status | Completed |
| Handling member | Chris Graham |
| Addon | core |
| Description | Make sure either_param_string has exactly the same parameters as post_param_string.
Give all the functions a $security_flags filter. By default all flags are set for POST, and many for GET. These set if word-filtering is done, if HTML filtering is done, etc. |
| Steps to reproduce | |
| Additional information | The old get_param_string $no_security parameter would no longer be needed. The "if ($name != 'password') {" clause would no longer be needed, as it could be coded in a cleaner way.
This messy code can be cleaned up from sources/feedback.php (it is reimplementing either_param_string basically, as we can't trust that to not do a word-filtering): if (!isset($_GET['options']) && !isset($_POST['options'])) { post_param_string('options'); // Trigger an error } $options = isset($_POST['options']) ? $_POST['options'] : $_GET['options']; Any hard-coded field-name awareness could be cleaned up: if ((preg_match('#^\s*((((j\s*a\s*v\s*a\s*)|(v\s*b\s*))?s\s*c\s*r\s*i\s*p\s*t)|(d\s*a\s*t\s*a\s*))\s*:#i', $val) != 0) && ($name != 'value')/*Don't want autosave triggering this*/) { $is_url = ($name == 'from') || ($name == 'preview_url') || ($name == 'redirect') || ($name == 'redirect_passon') || ($name == 'url'); if (!in_array($name, array('login_username', 'password', 'remember', 'login_invisible'))) { |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
There have been no comments yet