[development] valid_input_data no more available on 4.6.4

Gabor Hojtsy gabor at hojtsy.hu
Thu Dec 8 20:37:13 UTC 2005

Hi Fabio,

> so I have my css.module which adds a text area when
> editing a node.
> the text inserted into that text area will be used
> as css when displaying the page.
> I think that input checking on the css field is
> needed...
> This is how I'm using the valid_input_data :
> function css_nodeapi(&$node, $op, $teaser, $page) {
> ....
> case 'validate':
>       if (variable_get('css_'. $node->type, TRUE) || 	
> !user_access('create css for nodes')) {
>         if (!valid_input_data($node->css_css)) {
>           drupal_access_denied();
>         }
>       }
> How do you guys think I have to implement a input check?

Well, valid_input_data was not a proper function to check for valid CSS
anyway, so the check was inherently bad. How one checks proper CSS is a
good question. You need to find some whitelisting patterns (ie. some
regular expressions to check your input with), which ensure that the
input is not malicious code. Testing that it is proper CSS needs a full
CSS parser.


More information about the development mailing list