[drupal-devel] Rewriting use of forms in Drupal

Steven Wittens steven at acko.net
Fri Jun 3 12:04:51 UTC 2005

Gerhard Killesreiter wrote:

>Hi there!
>What follows is a proposal I sent to Dries before the security releases
>were made. Since it hinted at the possibility of flaws in our current
>way of handling forms I didn't want to make it available for public
>viewing at that time. There are probably still errors in some forms, but
>the most serious exploits should be fixed now. Although the proposal is
>geared towards node forms, it could be easily extended for other forms.
>Feedback would be appreciated.
Actually, I discovered a something related issue today... it is in fact 
impossible to do this in Drupal:

$node = node_load(...);

The problem is that in node_validate() we assume that we only get fields 
which were output in forms. Some fields, like the teaser, are by default 
not output (only if you have excerpt.module). node_validate() checks if 
there is a teaser provided already (assuming any teaser comes from an 
external module), and if so, doesn't generate a new one.

Similar problems can exist, for example when a contributed module does 
not have a single body field. After submitting the node_form(), there 
would be no $node->body, but this field is present after you do a 

In node_validate we would need to unset any field which is not part of 
the standard form. Your technique seems to open the door for that.

Steven Wittens

More information about the drupal-devel mailing list