Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
The field validation integration is currently missing an integration with the field_validation_pcre_validator plugin.
While testing the patch another issue was discovered: _clientside_validation_ajax_call() uses check_plain() to sanitize the user input.
I'm not sure how much sense this makes as it modifies user input and thus can lead to unexpected validation results.
E.g. if you've the input if you've the input it will result in the value validated beeing if you've the input - now a regexp that will allow ' but not & / # / ; or numbers will fail - even thought the actual user input is valid.
Proposed resolution
Copy / past the current field_validation_regex_validator and replace _clientside_validation_set_regex() with _clientside_validation_set_regex_pcre().
Remove the check_plain() in _clientside_validation_ajax_call() - this should be safe as the user input isn't evaluated and not passed on to third-party code in any way.
Remaining tasks
Reviews needed.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | clientside_validation-field_validation-pcre-regex-support-2861330-1.patch | 2.12 KB | das-peter |
Comments
Comment #2
das-peter CreditAttribution: das-peter at Cando commentedWhile testing the patch another issue was discovered:
_clientside_validation_ajax_call()usescheck_plain()to sanitize the user input.I'm not sure how much sense this makes as it modifies user input and thus can lead to unexpected validation results.
E.g. if you've the input
if you've the inputit will result in the value validated beeingif you've the input- now a regexp that will allow'but not&/#/;or numbers will fail - even thought the actual user input is valid.