[D7] Webform Skip

Hello,

Thank you for reviewing! I mentioned in the initial post about the one warning PAReview displays, and that I believe it's a false positive. The $form_state['input'] is only used in order to to reset the value of a hidden form variable: https://git.drupalcode.org/project/webform_skip/blob/7.x-1.x/webform_ski...

I am not using the value stored in $form_state['input'] anywhere in the module's code, only resetting it to zero. Is this still a valid concern?

I'm not sure I understand. I'm not using the value, it's just being set to its initial value of zero. Why does it need to be validated or sanitized?

Thank you for your feedback! Please let me know if you find any bugs related to your validation concerns. I've been running this module for one of my site's particular use case, and it's been running successfully. Though for that particular webform, the only required field is on the first page of the webform, and the other steps of the webform are optional.

Re concern #1: I added hook_uninstall(). Thanks for pointing this out!

Re concern #2: I debated this on initial release. I ended up defaulting to "enabled" because I thought enabling the module should enable the functionality. Though I understand your point about the annoyance of having to go to multiple webforms in the event you want to enable the functionality for some multi-steps webforms, but not others. So I added a config form to easily enable/disable the module's functionality on all webforms in the system. On the config form, all the webforms are listed, and to disable you can easily uncheck box(es) and then save. The config form is at /admin/config/content/webform/skip. Tomorrow, I'll create a new release for this, and will update the project's main page and README.

As mentioned in the initial post, and comment #5 and #7, I believe this is a false positive. Can you please confirm or deny?

Link to the code in question is here >>> https://git.drupalcode.org/project/webform_skip/blob/7.x-1.x/webform_ski... <<< thank you for reviewing!

Can you please tell me why it needs updated? PAReview says on that page the issue could be a false positive, and I believe it is.

From RandyFay.com

$form_state['input']: The array of values as they were submitted by the user. These are raw and unvalidated, so should not be used without a thorough understanding of security implications. In almost all cases, code should use the data in the 'values' array exclusively. The most common use of this key [input] is for multi-step forms that need to clear some of the user input when setting 'rebuild'

I think PAReview is just not taking this use case into account in its automated reviews of code (hence, the false positive warning it is throwing for this module). This module relies on reseting a hidden form value on a multi-step form, and the only way to do so is to access $form_state['input']. The module is not using the value in $form_state['input'], which is what would pose a security risk, and PAReview is probably simply looking for instances of that string in the code, not taking into account code that is simply setting a value, not using the value.

Excellent! I added t() to that Save button, and pushed to the dev release. Thanks for catching that.

Thanks to everyone for reviewing!