Am 09.11.2012 00:50, schrieb Massimo Manghi: > Hi Jeff and Harald > > On 11/08/2012 09:16 PM, Jeff Lawson wrote: >> On Thu, Nov 8, 2012 at 7:58 AM, Harald Oehlmann >> <harald.oehlm...@elmicron.de> wrote: >>> Am 07.11.2012 00:10, schrieb Jeff Lawson: >>>> On Tue, Nov 6, 2012 at 3:30 AM, Harald Oehlmann >>>> <harald.oehlm...@elmicron.de> wrote: >>>>> Am 06.11.2012 09:48, schrieb Jeff Lawson: >>>>>> I have verified that it now seems fixed for textareas with your >>>>>> change. I will try to confirm with my colleague about his purported >>>>>> failure with checkboxes and construct an example if needed. >>>>> >>>>> Thank you, Jeff. >>>>> >>>>> The reason for this change was to correctly interpret list and >>>>> values to >>>>> avoid a malfunction or crash, if the user enteres something, which is >>>>> not a list. >>>>> >>>> >>>> Here is another example that demonstrates the difference in checkbox >>>> behavior... In form 1.0, there are several checkboxes selected by >>>> default, but on form 2.0 none of them are. Note that -value is not >>>> specified for the checkboxes, but any "true" value was accepted as >>>> signalled a checked state under form 1.0 >>>> >>>> > > I agree that we should preserve the former behavior (form 1.0) to keep > form 2.0 compatible with existing code and also because it's rather > intuitive and desirable to have default values of checkboxes (like for > any other input element) set at the form level instead of setting each > input element independently.
Thank you, Jeff and Massimo, I propose to solve it in the following way: - only for checkboxes (not for radiobutton, where it worked before too): If there is a default value and no "-value" defined, only the attribute "checked" is set, but not the value. Why I think, it is a security hole if the default value is inserted in the "value" property of the html code: Imagine: checkbox a and the url: localhost?a=arbitrary data then, the arbitrary data is entered in the html code: <type="checkbox value="arbitrary data"> An attacker may inject a kilobyte of vulnerable code in the html code. If method "post" is used, nobody will see the code. A user must just click (or must be redirected) to inject the code. Thank you, Harald --------------------------------------------------------------------- To unsubscribe, e-mail: rivet-dev-unsubscr...@tcl.apache.org For additional commands, e-mail: rivet-dev-h...@tcl.apache.org
