[drupal-devel] Rewriting use of forms in Drupal
steven at acko.net
Fri Jun 3 12:04:51 UTC 2005
Gerhard Killesreiter wrote:
>What follows is a proposal I sent to Dries before the security releases
>were made. Since it hinted at the possibility of flaws in our current
>way of handling forms I didn't want to make it available for public
>viewing at that time. There are probably still errors in some forms, but
>the most serious exploits should be fixed now. Although the proposal is
>geared towards node forms, it could be easily extended for other forms.
>Feedback would be appreciated.
Actually, I discovered a something related issue today... it is in fact
impossible to do this in Drupal:
$node = node_load(...);
The problem is that in node_validate() we assume that we only get fields
which were output in forms. Some fields, like the teaser, are by default
not output (only if you have excerpt.module). node_validate() checks if
there is a teaser provided already (assuming any teaser comes from an
external module), and if so, doesn't generate a new one.
Similar problems can exist, for example when a contributed module does
not have a single body field. After submitting the node_form(), there
would be no $node->body, but this field is present after you do a
In node_validate we would need to unset any field which is not part of
the standard form. Your technique seems to open the door for that.
More information about the drupal-devel