[drupal-devel] Rewriting use of forms in Drupal
Gerhard Killesreiter
killesreiter at physik.uni-freiburg.de
Fri Jun 3 11:44:22 UTC 2005
On Fri, 3 Jun 2005, Dries Buytaert wrote:
>
> On 03 Jun 2005, at 11:23, Gerhard Killesreiter wrote:
>
> > What follows is a proposal I sent to Dries before the security
> > releases
> > were made. Since it hinted at the possibility of flaws in our current
> > way of handling forms I didn't want to make it available for public
> > viewing at that time. There are probably still errors in some
> > forms, but
> > the most serious exploits should be fixed now. Although the
> > proposal is
> > geared towards node forms, it could be easily extended for other
> > forms.
> >
>
> I think I'm missing the point. What _exactly_ do we gain?
1) We can ensure that only the fields that are defined by our PHP code
can be used.
Currently, you can add html to any Drupal generated HTML form and the
values will be processed and possibly be inserted into the database.
We can also check if the fields still are of the type that they
should. I am not sure that you can gain anything by exchaning a
textarea input to a radioselect, but the possibility annoys me.
2) Themes could change the order and placement of fields. You could
decide to generate your taxonomy tree somewhere else than between
title and body. Maybe you can already do this through CSS, don't know.
3) People seem to like arrays more than strings. ;)
Cheers,
Gerhard
More information about the drupal-devel
mailing list