On Fri, 3 Jun 2005, Dries Buytaert wrote:
On 03 Jun 2005, at 11:23, Gerhard Killesreiter wrote:
What follows is a proposal I sent to Dries before the security releases were made. Since it hinted at the possibility of flaws in our current way of handling forms I didn't want to make it available for public viewing at that time. There are probably still errors in some forms, but the most serious exploits should be fixed now. Although the proposal is geared towards node forms, it could be easily extended for other forms.
I think I'm missing the point. What _exactly_ do we gain?
1) We can ensure that only the fields that are defined by our PHP code can be used. Currently, you can add html to any Drupal generated HTML form and the values will be processed and possibly be inserted into the database. We can also check if the fields still are of the type that they should. I am not sure that you can gain anything by exchaning a textarea input to a radioselect, but the possibility annoys me. 2) Themes could change the order and placement of fields. You could decide to generate your taxonomy tree somewhere else than between title and body. Maybe you can already do this through CSS, don't know. 3) People seem to like arrays more than strings. ;) Cheers, Gerhard