#1074: Allow control over exporting behavior in combination with argument bases
-------------------------+--------------------------------------------------
Reporter: david | Owner: dominik
Type: enhancement | Status: new
Priority: normal | Milestone: 1.0.1
Component: validation | Version: 1.0.0
Severity: normal | Keywords:
Has_patch: 0 |
-------------------------+--------------------------------------------------
Description changed by david:
Old description:
> While fixing #1073, we need to implement a way to control the exporting
> of values when arrays (through argument bases) come into play.
>
> For instance, when validating
> {{{
> <arguments base="foo[]"><argument /></arguments>
> }}}
> and one wants to export to an array "bar" while preserving the keys, the
> syntax will be:
> {{{
> <ae:parameter name="export">bar[%2$s]</ae:parameter>
> }}}
> because the argument base in this case contains two parts:
> 1. foo
> 2. <current key in iteration>
>
> As you can see, it uses {{{sprintf()}}} syntax. The input is always the
> current argument base, which *never* includes the argument itself. For
> example, for
> {{{
> <arguments base="foo[]"><argument>bar</arguments>
> }}}
> the base contains
> 1. foo
> 2. <current key in iteration>
> so if you want to rename the "foo" array to "bar" and preserve the other
> keys, you have to do:
> {{{
> <ae:parameter name="export">bar[%2$s][bar]</ae:parameter>
> }}}
>
> There are two other special cases:
> 1. Using {{{[]}}} will always result in an empty string ({{{string(0)
> ""}}}) key. It is not possible to "append" values like with the PHP
> syntax {{{$foo[]}}}. The reason is that programmers might assume that the
> resulting array is 0-indexed, but an attacker could append {{{?foo[29]}}}
> to the request URL, changing the offset. Unlikely to be a security issue,
> but we're better safe than sorry.
> 2. You can reduce elements to a single value, if you want to, by doing
> something like {{{<ae:parameter name="export">lastfoo</ae:parameter>}}}
>
> You could also do something like
> {{{
> <arguments base="foo[]"><argument /></arguments>
> <ae:parameter name="export">foo_%2$s</ae:parameter>
> }}}
> to export {{{foo[*]}}} to {{{foo_*}}}. The other way round is not
> possible, of course.
New description:
While fixing #1073, we need to implement a way to control the exporting of
values when arrays (through argument bases) come into play.
For instance, when validating
{{{
<arguments base="foo[]"><argument /></arguments>
}}}
and one wants to export to an array "bar" while preserving the keys, the
syntax will be:
{{{
<ae:parameter name="export">bar[%2$s]</ae:parameter>
}}}
because the argument base in this case contains two parts:
1. {{{foo}}}
2. ''current key in iteration''
As you can see, it uses {{{sprintf()}}} syntax. The input is always the
current argument base, which *never* includes the argument itself. For
example, for
{{{
<arguments base="foo[]"><argument>bar</arguments>
}}}
the base contains
1. {{{foo}}}
2. ''current key in iteration''
so if you want to rename the "foo" array to "bar" and preserve the other
keys, you have to do:
{{{
<ae:parameter name="export">bar[%2$s][bar]</ae:parameter>
}}}
There are two other special cases:
1. Using {{{[]}}} will always result in an empty string ({{{string(0)
""}}}) key. It is not possible to "append" values like with the PHP syntax
{{{$foo[]}}}. The reason is that programmers might assume that the
resulting array is 0-indexed, but an attacker could append {{{?foo[29]}}}
to the request URL, changing the offset. Unlikely to be a security issue,
but we're better safe than sorry.
2. You can reduce elements to a single value, if you want to, by doing
something like {{{<ae:parameter name="export">lastfoo</ae:parameter>}}}
You could also do something like
{{{
<arguments base="foo[]"><argument /></arguments>
<ae:parameter name="export">foo_%2$s</ae:parameter>
}}}
to export {{{foo[*]}}} to {{{foo_*}}}. The other way round is not
possible, of course.
--
--
Ticket URL: <http://trac.agavi.org/ticket/1074#comment:2>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
