<br><br><div><span class="gmail_quote">On 10/19/06, <b class="gmail_sendername">Rob Barreca</b> <<a href="mailto:rob@electronicinsight.com">rob@electronicinsight.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Heine Deelstra wrote:<br>> The 4.6.10 and 4.7.4 releases saw the addition of a new default form<br>> field to protect against cross site request forgeries.<br>><br>> 2. 4.7 modules and themes that rely on a defined set of form fields to
<br>> be present<br>To me, this just means any form 'myform' that has defined a<br>theme_myform() function which DOESN'T have a form_render($form); at the<br>end of it will need to be updated. IIRC there are probably not too many
<br>modules which do that. Am I correct there? So I think the small breakage<br>is outweighed by the improved security.</blockquote><div><br>Yeah... those where my thoughs after reading the upgrade post. Actually it was more like "Wasn't that something we where suppose to be doing anyways?" I do have a better idea of why there was a token now though.
<br><br>While breaking things this is really just bringing contrib module developers into line with core requirements where before they could get away with not doing it correctly. 232That seems fair, though I don't think anyone will argue that they wished this had happened in the initial release.
<br><br>That's life and nothing short of more eyes going over the code for security issues is going to help that. Don't look at me like that Gerhard, I'm not complaining or volunteering. ;) And more eyes is the driving idea behind open source so I think we're working in the right direction there even if we are short staffed.
<br><br>James<br></div></div>