[Web-SIG] validation (was: Form field dictionaries)
gstein at lyra.org
Fri Oct 24 16:52:36 EDT 2003
On Fri, Oct 24, 2003 at 01:27:08PM -0400, Steve Holden wrote:
> I've argued in the past that the correct approach is to determine in
> advance which fields can take multiple values, and reject multiple
> values for other fields as an error early in the form processing.
Actually, I would upgrade this *way* past what you're thinking here. I
think that every input/form field should have a definition and associated
validation for it. Simple reason: cross-site scripting attacks.
CSS attacks are a very real worry, and I think any core, form-handling on
the server should provide easy mechanisms for dealing with it.
Within ViewCVS, I process all incoming parameters. If the param is not
recognized, an error is thrown. If the param does not match a specific
format (e.g. numeric or matching <some-regex>), then an error is thrown.
ViewCVS doesn't have multi-valued parameters, but the validation concept
could easily test a mismatch between single/multi values.
Greg Stein, http://www.lyra.org/
More information about the Web-SIG