[development] valid_input_data no more available on 4.6.4
Fabio Varesano
fabio.varesano at gmail.com
Thu Dec 8 21:11:49 UTC 2005
I don't need to validate css.
I just want to check for suspicious
data to prevent xss .
Nathan Vack wrote:
> On Dec 8, 2005, at 2:09 PM, Fabio Varesano wrote:
>
>> I think that input checking on the css field is
>> needed...
>>
>> This is how I'm using the valid_input_data :
>>
>> function css_nodeapi(&$node, $op, $teaser, $page) {
>> ....
>> case 'validate':
>> if (variable_get('css_'. $node->type, TRUE) ||
>> !user_access('create css for nodes')) {
>> if (!valid_input_data($node->css_css)) {
>> drupal_access_denied();
>> }
>> }
>>
>> How do you guys think I have to implement a input check?
>
>
> You could use an HTTP library and send it through the w3c CSS validator...
>
> http://jigsaw.w3.org/css-validator/
>
> That would ensure the CSS is well-formed. You could even conditionally
> warn about valid but poor CSS practice (setting background-color
> without setting color, for example).
>
> Also -- that's probably a different error case than user_access(); I'm
> guessing you'd want to return a "Hey, your CSS isn't valid" instead of
> "Access denied"...
>
> Cheers,
> -Nate
>
More information about the development
mailing list