Hi Fabio,
so I have my css.module which adds a text area when editing a node. the text inserted into that text area will be used as css when displaying the page.
I think that input checking on the css field is needed...
This is how I'm using the valid_input_data :
function css_nodeapi(&$node, $op, $teaser, $page) { .... case 'validate': if (variable_get('css_'. $node->type, TRUE) || !user_access('create css for nodes')) { if (!valid_input_data($node->css_css)) { drupal_access_denied(); } }
How do you guys think I have to implement a input check?
Well, valid_input_data was not a proper function to check for valid CSS anyway, so the check was inherently bad. How one checks proper CSS is a good question. You need to find some whitelisting patterns (ie. some regular expressions to check your input with), which ensure that the input is not malicious code. Testing that it is proper CSS needs a full CSS parser. Goba