valid_input_data no more available on 4.6.4
Hi everybody. I just received a bug report on the bug tracking system of my css.module . http://drupal.org/node/40340 As wrote there function valid_input_data has been removed from 4.6.4 . Why does it been removed? What can we use for input checking? filter_xss? I think that this change (and others) should be documented on the handbooks. Thanks. Fabio
On Thu, 08 Dec 2005 12:45:57 +0100, Fabio Varesano <fabio.varesano@gmail.com> wrote:
Hi everybody.
I just received a bug report on the bug tracking system of my css.module . http://drupal.org/node/40340
As wrote there function valid_input_data has been removed from 4.6.4 .
Why does it been removed? What can we use for input checking? filter_xss?
I think that this change (and others) should be documented on the handbooks.
I agree and I already mailed the list yesterday on this. You can't really do input checking now, valid_input_data was broken beyond repair. We are filtering on output (this was so since long), use check_plain , check_url and check_output as appropriate. check_output when you have a filter format, check_url when you want to display a url and check_plain otherwise if you output your own content. Regards NK
Karoly Negyesi wrote:
You can't really do input checking now, valid_input_data was broken beyond repair. We are filtering on output (this was so since long), use check_plain , check_url and check_output as appropriate. check_output when you have a filter format, check_url when you want to display a url and check_plain otherwise if you output your own content.
This important information will end up in some upgrade documentation right? :) Goba
Ok.. so I have my css.module which adds a text area when editing a node. the text inserted into that text area will be used as css when displaying the page. I think that input checking on the css field is needed... This is how I'm using the valid_input_data : function css_nodeapi(&$node, $op, $teaser, $page) { .... case 'validate': if (variable_get('css_'. $node->type, TRUE) || !user_access('create css for nodes')) { if (!valid_input_data($node->css_css)) { drupal_access_denied(); } } How do you guys think I have to implement a input check? Thanks. Fabio Karoly Negyesi wrote:
On Thu, 08 Dec 2005 12:45:57 +0100, Fabio Varesano <fabio.varesano@gmail.com> wrote:
Hi everybody.
I just received a bug report on the bug tracking system of my css.module . http://drupal.org/node/40340
As wrote there function valid_input_data has been removed from 4.6.4 .
Why does it been removed? What can we use for input checking? filter_xss?
I think that this change (and others) should be documented on the handbooks.
I agree and I already mailed the list yesterday on this.
You can't really do input checking now, valid_input_data was broken beyond repair. We are filtering on output (this was so since long), use check_plain , check_url and check_output as appropriate. check_output when you have a filter format, check_url when you want to display a url and check_plain otherwise if you output your own content.
Regards
NK
Hi Fabio,
so I have my css.module which adds a text area when editing a node. the text inserted into that text area will be used as css when displaying the page.
I think that input checking on the css field is needed...
This is how I'm using the valid_input_data :
function css_nodeapi(&$node, $op, $teaser, $page) { .... case 'validate': if (variable_get('css_'. $node->type, TRUE) || !user_access('create css for nodes')) { if (!valid_input_data($node->css_css)) { drupal_access_denied(); } }
How do you guys think I have to implement a input check?
Well, valid_input_data was not a proper function to check for valid CSS anyway, so the check was inherently bad. How one checks proper CSS is a good question. You need to find some whitelisting patterns (ie. some regular expressions to check your input with), which ensure that the input is not malicious code. Testing that it is proper CSS needs a full CSS parser. Goba
On Dec 8, 2005, at 2:09 PM, Fabio Varesano wrote:
I think that input checking on the css field is needed...
This is how I'm using the valid_input_data :
function css_nodeapi(&$node, $op, $teaser, $page) { .... case 'validate': if (variable_get('css_'. $node->type, TRUE) || !user_access('create css for nodes')) { if (!valid_input_data($node->css_css)) { drupal_access_denied(); } }
How do you guys think I have to implement a input check?
You could use an HTTP library and send it through the w3c CSS validator... http://jigsaw.w3.org/css-validator/ That would ensure the CSS is well-formed. You could even conditionally warn about valid but poor CSS practice (setting background-color without setting color, for example). Also -- that's probably a different error case than user_access(); I'm guessing you'd want to return a "Hey, your CSS isn't valid" instead of "Access denied"... Cheers, -Nate
I don't need to validate css. I just want to check for suspicious data to prevent xss . Nathan Vack wrote:
On Dec 8, 2005, at 2:09 PM, Fabio Varesano wrote:
I think that input checking on the css field is needed...
This is how I'm using the valid_input_data :
function css_nodeapi(&$node, $op, $teaser, $page) { .... case 'validate': if (variable_get('css_'. $node->type, TRUE) || !user_access('create css for nodes')) { if (!valid_input_data($node->css_css)) { drupal_access_denied(); } }
How do you guys think I have to implement a input check?
You could use an HTTP library and send it through the w3c CSS validator...
http://jigsaw.w3.org/css-validator/
That would ensure the CSS is well-formed. You could even conditionally warn about valid but poor CSS practice (setting background-color without setting color, for example).
Also -- that's probably a different error case than user_access(); I'm guessing you'd want to return a "Hey, your CSS isn't valid" instead of "Access denied"...
Cheers, -Nate
participants (4)
-
Fabio Varesano -
Gabor Hojtsy -
Karoly Negyesi -
Nathan Vack