[development] How to pass form values to page that actually does something.
Greg Knaddison
Greg at GrowingVentureSolutions.com
Tue May 11 13:13:58 UTC 2010
I share Randy's questions, but want to diverge to discuss one thing.
On Tue, May 11, 2010 at 6:55 AM, Randy Fay <randy at randyfay.com> wrote:
> The converse is a *really* bad idea: using a GET when changing state on the
> server, of course - this is the path to XSS everywhere.
It's a path to CSRF (cross site request forgery) and not XSS (cross
site scripting).
But really the answer is that you should use GET/POST depending on
what makes the most sense in general and then protect it in a sane way
- either with the default token that FAPI gives you or via a
self-created/self-verified query string token.
All this and more documented at http://crackingdrupal.com/node/48
Regards,
Greg
--
Greg Knaddison | 303-800-5623 | http://growingventuresolutions.com
Mastering Drupal | http://www.masteringdrupal.com
More information about the development
mailing list