[drupal-devel] Rewriting use of forms in Drupal

Gerhard Killesreiter killesreiter at physik.uni-freiburg.de
Fri Jun 3 11:44:22 UTC 2005

On Fri, 3 Jun 2005, Dries Buytaert wrote:

> On 03 Jun 2005, at 11:23, Gerhard Killesreiter wrote:
> > What follows is a proposal I sent to Dries before the security
> > releases
> > were made. Since it hinted at the possibility of flaws in our current
> > way of handling forms I didn't want to make it available for public
> > viewing at that time. There are probably still errors in some
> > forms, but
> > the most serious exploits should be fixed now. Although the
> > proposal is
> > geared towards node forms, it could be easily extended for other
> > forms.
> >
> I think I'm missing the point.  What _exactly_ do we gain?

1) We can ensure that only the fields that are defined by our PHP code
   can be used.

   Currently, you can add html to any Drupal generated HTML form and the
   values will be processed and possibly be inserted into the database.
   We can also check if the fields still are of the type that they
   should. I am not sure that you can gain anything by exchaning a
   textarea input to a radioselect, but the possibility annoys me.

2) Themes could change the order and placement of fields. You could
   decide to generate your taxonomy tree somewhere else than between
   title and body. Maybe you can already do this through CSS, don't know.

3) People seem to like arrays more than strings. ;)


More information about the drupal-devel mailing list