View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0002429 | Composr | core | public | 2016-04-20 00:10 | 2016-10-19 04:23 |
| Reporter | Chris Graham | Assigned To | Chris Graham | ||
| Severity | Feature-request | ||||
| Status | resolved | Resolution | fixed | ||
| Product Version | |||||
| Fixed in Version | |||||
| Summary | 0002429: Implement better configurability in *_param_string functions | ||||
| Description | Make sure either_param_string has exactly the same parameters as post_param_string. Give all the functions a $security_flags filter. By default all flags are set for POST, and many for GET. These set if word-filtering is done, if HTML filtering is done, etc. | ||||
| Additional Information | The old get_param_string $no_security parameter would no longer be needed. The "if ($name != 'password') {" clause would no longer be needed, as it could be coded in a cleaner way. This messy code can be cleaned up from sources/feedback.php (it is reimplementing either_param_string basically, as we can't trust that to not do a word-filtering): if (!isset($_GET['options']) && !isset($_POST['options'])) { post_param_string('options'); // Trigger an error } $options = isset($_POST['options']) ? $_POST['options'] : $_GET['options']; Any hard-coded field-name awareness could be cleaned up: if ((preg_match('#^\s*((((j\s*a\s*v\s*a\s*)|(v\s*b\s*))?s\s*c\s*r\s*i\s*p\s*t)|(d\s*a\s*t\s*a\s*))\s*:#i', $val) != 0) && ($name != 'value')/*Don't want autosave triggering this*/) { $is_url = ($name == 'from') || ($name == 'preview_url') || ($name == 'redirect') || ($name == 'redirect_passon') || ($name == 'url'); if (!in_array($name, array('login_username', 'password', 'remember', 'login_invisible'))) { | ||||
| Tags | No tags attached. | ||||
| Time estimation (hours) | 2 | ||||
| Sponsorship open | |||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2016-04-20 00:10 | Chris Graham | New Issue | |
| 2016-04-20 00:10 | Chris Graham | Additional Information Updated | View Revisions |
| 2016-04-20 21:48 | Chris Graham | Additional Information Updated | View Revisions |
| 2016-10-19 04:23 | Chris Graham | Status | non-assigned => resolved |
| 2016-10-19 04:23 | Chris Graham | Resolution | open => fixed |
| 2016-10-19 04:23 | Chris Graham | Assigned To | => Chris Graham |
