Hi Yury,
Yes, it's true that malicious (or inquisitive) users can turn off all of
SF's validation. SF's main validation is Javascript-based, and as far as I
know that one can be shut off by users just as easily as the HTML changes
you mentioned. I've made no effort to try to make SF more secure in that
regard, for two related reasons:
- unless there's some custom coding done, users will always be able to go
to "action=edit" and modify the page directly, however they want.
- more generally, it's a wiki: the default approach is to let everyone edit
any page however they want. When malicious edits are made, they're easy to
spot and revert, and the user who made the edit can then be blocked.
And there's a third reason, which is that these kinds of "clever" malicious
edits are, from my experience, extremely rare: vandalism tends to be done
by users who are idiots and/or spammers.
Any thoughts on that?
-Yaron
On Tue, Oct 30, 2012 at 11:34 AM, Yury Katkov <katkov.ju...@gmail.com>wrote:
> Hi Yaron and everyone!
>
> We experimented a bit with Semantic Forms and found that the forms do
> not validate the correctness of the values for 'values from category'.
> Here is an example: I define a form with the field
>
> {{field|nameofthefield|values from category=Mycategory|input
> type=dropdown}}
>
> My intuition is that it's impossible to enter the value that is not
> listed in a dropdown, so I want to rely on some validation mechanism
> of SF.
> It's not so, unfortunately.
>
> Using Firebug or Chrome Developer (see [1]) I can alter any <option>
> in a dropdown and send the data that is not allowed (see [2]).
>
> Yaron, is the enhanced secuirity and validation of Forms currently in
> the roadmap? IMHO it's a serious issue for those who use semantic
> forms to really restrict the editing of the pages.
>
>
> [1] http://i.imm.io/Jdm3.png
> [2] http://i.imgur.com/WkPpG.png
> -----
> Yury Katkov, WikiVote
>
--
WikiWorks · MediaWiki Consulting · http://wikiworks.com
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Semediawiki-devel mailing list
Semediawiki-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/semediawiki-devel
