[support] Simple form-based node flagging

Kitt Hodsden kitt-drupal at hodsden.org
Mon Sep 24 18:57:42 UTC 2007 

Neil,

Using your line, check_plain goes around the subject GET:

$form['subject']['#value'] = check_plain($_GET['subject']); // SECOND AND LAST
ADDITIONAL LINE

If you don't, then people can use this parameter to get information about your site.

So, imagine I have a link from MY site which goes to YOUR site that looks like
this (where "like" = not really checked for proper syntax, proper closing tags,
etc. but you get the drift):

<a
href="http://yoursite.com/contact?subject=%3E%3Cimg+src%3D%22http%3A%2F%2Fexample.com%2Fscandalous-image.jpg%22+%2F%3E">Report
Page</a>

Now, when someone clicks on this link, my scandalous-image.jpg will display.

Or, if I'm exploiting the latest Adobe PDF download exploit, I could have a
carefully crafted PDF sent automatically to the user who clicked on my link.  

Or, I could include a javascript file that reads your site cookies and sends
them to my site (enabling my hijacking of your users' sessions).

Drupal does a lot of GET and POST variable checking for you.  If you're going to
use the GET parameters directly, you need to do some of that checking yourself.

Kitt.




Quoting "Neil: esl-lounge.com" <neil at esl-lounge.com>:

> Kitt,
> 
> how would the syntax for that look? I've never used it before. Why is it so
> 
> important to use check_plain?
> 
> Neil
> 
> 
> ----- Original Message ----- 
> From: "Kitt Hodsden" <kitt-drupal at hodsden.org>
> To: "Neil: esl-lounge.com" <neil at esl-lounge.com>
> Cc: <support at drupal.org>
> Sent: Monday, September 24, 2007 6:48 AM
> Subject: Re: [support] Simple form-based node flagging
> 
> 
> > Please, please, please, put a check_plain around the $_GET['subject']
> var.
> >
> > http://api.drupal.org/?q=api/function/check_plain/5
> >
> > Kitt.
> >
> >
> > Quoting "Neil: esl-lounge.com" <neil at esl-lounge.com>:
> >
> >> In the end, I added the following code to the contact.module:
> >>
> >>     // THESE NEXT TWO LINES ADDED FOR PRE-FILLING
> >>     if( !isset( $_POST['subject']) && !empty($_GET['subject'])) // FIRST
> >> ADDITIONAL LINE
> >>      $form['subject']['#value'] = $_GET['subject']; // SECOND AND LAST
> >> ADDITIONAL LINE
> >>
> >> which allows me to create links like this:
> >>
> >> <a href="/contact?subject=Page+Reported:http://www.mysite.com<?php print
> >> $_SERVER['REQUEST_URI'] ?>+(do+not+delete.)" rel="nofollow">Report 
> >> Page</a>
> >>
> >> which is exactly what I was after.
> >>
> >>
> >> ----- Original Message ----- 
> >> From: "Michael Prasuhn" <mike at mikeyp.net>
> >> To: <support at drupal.org>
> >> Sent: Saturday, September 22, 2007 5:58 PM
> >> Subject: Re: [support] Simple form-based node flagging
> >>
> >>
> >> I suppose tkaing the same development resources to look at fixing the 
> >> abuse
> >>
> >> module is out of the question?
> >>
> >> -Mike
> >>
> >> __________________
> >> Michael Prasuhn
> >> mike at mikeyp.net
> >> mikeyp.phone at gmail.com phone
> >> 714.356.0168 cell
> >> 949.200.7670 fax
> >>
> >> -----Original Message-----
> >> From: "Neil: esl-lounge.com" <neil at esl-lounge.com>
> >>
> >> Date: Sat, 22 Sep 2007 13:50:32
> >> To:<support at drupal.org>
> >> Subject: [support] Simple form-based node flagging
> >>
> >>
> >> I would like to make a simple "node flagging" tool on my site. I have a 
> >> flag
> >>
> >> icon on every node which has the URL of the node (or the nid) inserted 
> >> into
> >>
> >> it using php.
> >>
> >> What I would like is for a user who clicks that to be sent to the
> contact
> >> form and for the page URL to appear in the "Message" text box already.
> >>
> >> I've had a lot of problems with the Abuse module (especially the admin 
> >> side
> >>
> >> of things...constant sql errors), so have decided to try to create 
> >> something
> >>
> >> simpler. If the contact form can't be used like that, is there a way I 
> >> can
> >> set up a simple form on a page (mysite.com/report) which is pre-filled 
> >> with
> >>
> >> a flagged node's URL/nid as described above?
> >>
> >> Thanks
> >>
> >> Neil-- 
> >> [ Drupal support list | http://lists.drupal.org/ ]
> >> -- 
> >> [ Drupal support list | http://lists.drupal.org/ ]
> >>
> >> -- 
> >> [ Drupal support list | http://lists.drupal.org/ ]
> >>
> >
> >
> >
> > 
> 
>

More information about the support mailing list