[development] form protection?
Karoly Negyesi
karoly at negyesi.net
Sat Dec 29 02:15:16 UTC 2007
> should work for people without javascript too. So, if the options are
> known to the php code, you might try setting them in the #options, then
I second this motion. #DANGEROUS_SKIP_CHECK has good reasons for being uppercase -- it should stand out of your code as a sore thumb and it should hurt like one. I grudgingly added it and was rather happy when it was removed.
This is as good as any occasion as any other to remind you all that the primary reason for FAPI transformation is not expandability, themability or any other such goodness. Nope, the primary reason is security. It's the first guard. Yes it was not the first goal of it but then we realized it's very good as first line defense. If you knock off the options checker, you removed one of the guards in Drupal. Your validation handler better be good then to replace it.
More information about the development
mailing list