Anton Kovalenko skrev:
It might a consequence of my poor English, by I can't figure out what you mean. I suppose, that tainted means spolied or broken, right? So you welcome a way to get rid of spoiled parameter values inside getParameter() method? Am I correct? Can validators concept help here?
I'm sorry, I should clarify.
What I mean by tainted parameters is this: if such a feature is enabled, agavi would treat all untrusted data (such as GET/POST parameters) as tainted until they are explicitly made otherwise. And with tainted, I mean spoiled, unsecure. For example, if you accept a query which you then display on a page, you could potentially open a security hole (since someone could insert a <script> tag in the query, which could be executed inside the trusted domain of the web page).
Untainting the data could be automatic (validators), semi-automatic (if get GET parameter "id" is always a number, you could use a getIntParameter() instead of getParameter() which would ensure that the data is always a number) or manual (in which case the programmer using agavi would have to manually "untaint" a certain parameter before using getParameter() to retrieve it).
I bit more clear now, I hope? :) Regards, Johan -- Johan Mjönes Senior Developer Online Gaming Platform Phone: +46 8 789 12 00 Fax: +46 8 789 12 12 Cell: +46 7 052 838 55 E-mail: [EMAIL PROTECTED] Internet: www.ongame.com This e-mail (including attachments) is strictly confidential and intended solely for designated recipient(s). It contains privileged and confidential information. If you have received this e-mail in error, you must not disseminate, copy, distribute or take any action in reliance on it. Please notify us immediately and delete this e-mail and any attachments. Thank you. _______________________________________________ agavi-dev mailing list [email protected] http://labworkz.com/cgi-bin/mailman/listinfo/agavi-dev
