[support] Simple form-based node flagging
Kitt Hodsden
kitt-drupal at hodsden.org
Mon Sep 24 18:57:42 UTC 2007
Neil,
Using your line, check_plain goes around the subject GET:
$form['subject']['#value'] = check_plain($_GET['subject']); // SECOND AND LAST
ADDITIONAL LINE
If you don't, then people can use this parameter to get information about your site.
So, imagine I have a link from MY site which goes to YOUR site that looks like
this (where "like" = not really checked for proper syntax, proper closing tags,
etc. but you get the drift):
<a
href="http://yoursite.com/contact?subject=%3E%3Cimg+src%3D%22http%3A%2F%2Fexample.com%2Fscandalous-image.jpg%22+%2F%3E">Report
Page</a>
Now, when someone clicks on this link, my scandalous-image.jpg will display.
Or, if I'm exploiting the latest Adobe PDF download exploit, I could have a
carefully crafted PDF sent automatically to the user who clicked on my link.
Or, I could include a javascript file that reads your site cookies and sends
them to my site (enabling my hijacking of your users' sessions).
Drupal does a lot of GET and POST variable checking for you. If you're going to
use the GET parameters directly, you need to do some of that checking yourself.
Kitt.
Quoting "Neil: esl-lounge.com" <neil at esl-lounge.com>:
> Kitt,
>
> how would the syntax for that look? I've never used it before. Why is it so
>
> important to use check_plain?
>
> Neil
>
>
> ----- Original Message -----
> From: "Kitt Hodsden" <kitt-drupal at hodsden.org>
> To: "Neil: esl-lounge.com" <neil at esl-lounge.com>
> Cc: <support at drupal.org>
> Sent: Monday, September 24, 2007 6:48 AM
> Subject: Re: [support] Simple form-based node flagging
>
>
> > Please, please, please, put a check_plain around the $_GET['subject']
> var.
> >
> > http://api.drupal.org/?q=api/function/check_plain/5
> >
> > Kitt.
> >
> >
> > Quoting "Neil: esl-lounge.com" <neil at esl-lounge.com>:
> >
> >> In the end, I added the following code to the contact.module:
> >>
> >> // THESE NEXT TWO LINES ADDED FOR PRE-FILLING
> >> if( !isset( $_POST['subject']) && !empty($_GET['subject'])) // FIRST
> >> ADDITIONAL LINE
> >> $form['subject']['#value'] = $_GET['subject']; // SECOND AND LAST
> >> ADDITIONAL LINE
> >>
> >> which allows me to create links like this:
> >>
> >> <a href="/contact?subject=Page+Reported:http://www.mysite.com<?php print
> >> $_SERVER['REQUEST_URI'] ?>+(do+not+delete.)" rel="nofollow">Report
> >> Page</a>
> >>
> >> which is exactly what I was after.
> >>
> >>
> >> ----- Original Message -----
> >> From: "Michael Prasuhn" <mike at mikeyp.net>
> >> To: <support at drupal.org>
> >> Sent: Saturday, September 22, 2007 5:58 PM
> >> Subject: Re: [support] Simple form-based node flagging
> >>
> >>
> >> I suppose tkaing the same development resources to look at fixing the
> >> abuse
> >>
> >> module is out of the question?
> >>
> >> -Mike
> >>
> >> __________________
> >> Michael Prasuhn
> >> mike at mikeyp.net
> >> mikeyp.phone at gmail.com phone
> >> 714.356.0168 cell
> >> 949.200.7670 fax
> >>
> >> -----Original Message-----
> >> From: "Neil: esl-lounge.com" <neil at esl-lounge.com>
> >>
> >> Date: Sat, 22 Sep 2007 13:50:32
> >> To:<support at drupal.org>
> >> Subject: [support] Simple form-based node flagging
> >>
> >>
> >> I would like to make a simple "node flagging" tool on my site. I have a
> >> flag
> >>
> >> icon on every node which has the URL of the node (or the nid) inserted
> >> into
> >>
> >> it using php.
> >>
> >> What I would like is for a user who clicks that to be sent to the
> contact
> >> form and for the page URL to appear in the "Message" text box already.
> >>
> >> I've had a lot of problems with the Abuse module (especially the admin
> >> side
> >>
> >> of things...constant sql errors), so have decided to try to create
> >> something
> >>
> >> simpler. If the contact form can't be used like that, is there a way I
> >> can
> >> set up a simple form on a page (mysite.com/report) which is pre-filled
> >> with
> >>
> >> a flagged node's URL/nid as described above?
> >>
> >> Thanks
> >>
> >> Neil--
> >> [ Drupal support list | http://lists.drupal.org/ ]
> >> --
> >> [ Drupal support list | http://lists.drupal.org/ ]
> >>
> >> --
> >> [ Drupal support list | http://lists.drupal.org/ ]
> >>
> >
> >
> >
> >
>
>
More information about the support
mailing list