[support] HTML forms not Drupal's Forms API -- Badness ExplanationNeeded
Greg Knaddison
greg.knaddison at gmail.com
Tue Feb 3 20:07:21 UTC 2009
On Tue, Feb 3, 2009 at 12:54 PM, Metzler, David <metzlerd at evergreen.edu> wrote:
> The most compelling reason aside form being more maintainable, is that
> drupal forms api implements cross-site scripting vulnerability protections
> that may not have been taken care of in the original code.
It implements Semantic Forgery protection and Cross Site Request
Forgery protection. The form can still be vulnerable to a Cross Site
Scripting (CSS) attack if the XSS vulnerability is on the same site,
but it is safe from a "blind" XSS attack that is done across domains.
The commonly stated phrase "Use Drupal's Form API for safety" only
applies when the form is submitted (POSTed) back to the Drupal site.
If you are posting to a third party site then it doesn't matter how
the form is built on the Drupal page.
Shai - I think you'll have to motivate the client to choose an
implementation based on additional features provided by a
signup+signup_pay combination (which, by the way, is getting lots of
great attention recently from the maintainers including some great
sponsored work that Derek Wright has done).
Cheers,
Greg
--
Greg Knaddison
http://knaddison.com | 303-800-5623 | http://growingventuresolutions.com
More information about the support
mailing list