On Tue, 2 Feb 1999, Gilles Detillieux wrote:
> According to Alexander Bergolth:
> > I changed config["allow_in_form"] to input->get(form_vars[i]) in
> > Display::setVariables and in Display::createURL.
>
> Wait, no, setVariables() should still use config[form_vars[i]], not
> input->get(form_vars[i])!
Ooops!
Once again, you are right...
That must be the weather, I didn't do anything clever yesterday... :)
> Of course, the allow_in_form attribute itself should only be read from
> the config dictionary, and not the input dictionary, because you don't
> want users to be able to override it!
In the for-loops only the list of variables that are specified in the
allow_in_form attribute are processed anyway. So if you don�t say
something like
allow_in_form: foo bar allow_in_form
in the config file, nobody should be able to override this via query
string.
Thanks,
Leo
-----------------------------------------------------------------------
Alexander (Leo) Bergolth [EMAIL PROTECTED]
WU-Wien - Zentrum fuer Informatikdienste http://leo.wu-wien.ac.at
Info Center
In a world without walls and fences, who needs windows and gates?
------------------------------------
To unsubscribe from the htdig mailing list, send a message to
[EMAIL PROTECTED] containing the single word "unsubscribe" in
the SUBJECT of the message.
