Gang,
I've red-flagged for a potential client (abandoned by former Drupal developer) an event registration page on their site that uses an html form to deliver some variables to a Paypal page. Looks like the code came from a Paypal help page.
I'm proposing using a combination of the signup and signup_pay modules to handle this functionality. I'd like to give the client a little more detail on why it is bad to use regular html forms in addition to "It's more stable," or "it's the Drupal way." On the "It's more stable" argument, I need some more detail on why and what are some bad things that can.
Any help would be most appreciated.
Thanks,
Shai
The most compelling reason aside form being more maintainable, is that drupal forms api implements cross-site scripting vulnerability protections that may not have been taken care of in the original code.
Dave
________________________________
From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Shai Gluskin Sent: Tuesday, February 03, 2009 11:45 AM To: support@drupal.org Subject: [support] HTML forms not Drupal's Forms API -- Badness ExplanationNeeded
Gang,
I've red-flagged for a potential client (abandoned by former Drupal developer) an event registration page on their site that uses an html form to deliver some variables to a Paypal page. Looks like the code came from a Paypal help page.
I'm proposing using a combination of the signup and signup_pay modules to handle this functionality. I'd like to give the client a little more detail on why it is bad to use regular html forms in addition to "It's more stable," or "it's the Drupal way." On the "It's more stable" argument, I need some more detail on why and what are some bad things that can.
Any help would be most appreciated.
Thanks,
Shai
On Tue, Feb 3, 2009 at 12:54 PM, Metzler, David metzlerd@evergreen.edu wrote:
The most compelling reason aside form being more maintainable, is that drupal forms api implements cross-site scripting vulnerability protections that may not have been taken care of in the original code.
It implements Semantic Forgery protection and Cross Site Request Forgery protection. The form can still be vulnerable to a Cross Site Scripting (CSS) attack if the XSS vulnerability is on the same site, but it is safe from a "blind" XSS attack that is done across domains.
The commonly stated phrase "Use Drupal's Form API for safety" only applies when the form is submitted (POSTed) back to the Drupal site. If you are posting to a third party site then it doesn't matter how the form is built on the Drupal page.
Shai - I think you'll have to motivate the client to choose an implementation based on additional features provided by a signup+signup_pay combination (which, by the way, is getting lots of great attention recently from the maintainers including some great sponsored work that Derek Wright has done).
Cheers, Greg
-
Greg Knaddison -
Metzler, David -
Shai Gluskin