Problem/Motivation
The field validation integration is currently missing an integration with the field_validation_pcre_validator
plugin.
While testing the patch another issue was discovered: _clientside_validation_ajax_call()
uses check_plain()
to sanitize the user input.
I'm not sure how much sense this makes as it modifies user input and thus can lead to unexpected validation results.
E.g. if you've the input if you've the input
it will result in the value validated beeing if you've the input
- now a regexp that will allow '
but not &
/ #
/ ;
or numbers will fail - even thought the actual user input is valid.
Proposed resolution
Copy / past the current field_validation_regex_validator
and replace _clientside_validation_set_regex()
with _clientside_validation_set_regex_pcre()
.
Remove the check_plain()
in _clientside_validation_ajax_call()
- this should be safe as the user input isn't evaluated and not passed on to third-party code in any way.
Remaining tasks
Reviews needed.
Comment | File | Size | Author |
---|---|---|---|
#2 | clientside_validation-field_validation-pcre-regex-support-2861330-1.patch | 2.12 KB | das-peter |
Comments
Comment #2
das-peter CreditAttribution: das-peter at Cando commentedWhile testing the patch another issue was discovered:
_clientside_validation_ajax_call()
usescheck_plain()
to sanitize the user input.I'm not sure how much sense this makes as it modifies user input and thus can lead to unexpected validation results.
E.g. if you've the input
if you've the input
it will result in the value validated beeingif you've the input
- now a regexp that will allow'
but not&
/#
/;
or numbers will fail - even thought the actual user input is valid.