Use validators or write a custom filter!?
- David
Am 22.03.2006 um 14:27 schrieb Johan Mjönes:
Anton Kovalenko skrev:
It might a consequence of my poor English, by I can't figure out what
you mean. I suppose, that tainted means spolied or broken, right?
So you welcome a way to get rid of spoiled parameter values inside
getParameter() method?
Am I correct? Can validators concept help here?
I'm sorry, I should clarify.
What I mean by tainted parameters is this: if such a feature is
enabled, agavi would treat all untrusted data (such as GET/POST
parameters) as tainted until they are explicitly made otherwise.
And with tainted, I mean spoiled, unsecure. For example, if you
accept a query which you then display on a page, you could
potentially open a security hole (since someone could insert a
<script> tag in the query, which could be executed inside the
trusted domain of the web page).
Untainting the data could be automatic (validators), semi-automatic
(if get GET parameter "id" is always a number, you could use a
getIntParameter() instead of getParameter() which would ensure that
the data is always a number) or manual (in which case the
programmer using agavi would have to manually "untaint" a certain
parameter before using getParameter() to retrieve it).
I bit more clear now, I hope? :)
Regards,
Johan
--
Johan Mjönes
Senior Developer
Online Gaming Platform
Phone: +46 8 789 12 00
Fax: +46 8 789 12 12
Cell: +46 7 052 838 55
E-mail: [EMAIL PROTECTED]
Internet: www.ongame.com
This e-mail (including attachments) is strictly confidential and
intended solely for designated recipient(s). It contains privileged
and confidential information. If you have received this e-mail in
error, you must not disseminate, copy, distribute or take any
action in reliance on it. Please notify us immediately and delete
this e-mail and any attachments. Thank you.
_______________________________________________
agavi-dev mailing list
[email protected]
http://labworkz.com/cgi-bin/mailman/listinfo/agavi-dev
_______________________________________________
agavi-dev mailing list
[email protected]
http://labworkz.com/cgi-bin/mailman/listinfo/agavi-dev
