[TYPO3-50-general] RFC: Validation Refactoring
Bastian Waidelich
bastian at typo3.org
Wed Sep 16 10:48:24 CEST 2009
Hi there,
I just want to add a little note to 1) because it seems quite radical to
remove the TextValidator as default.
I don't like the current TextValidator, because:
- the name is misleading, it does not imply that the validator does not
allow HTML characters.
- a secure default is great. But who knows what is secure in the current
context.. E.g. a string might be free of XSS code but contain a SQL
injection (I know that hopefully won't work for FLOW3CR, but you get the
point). IMO the "endpoint" should make sure, that the string is properly
escaped.
Bastian
More information about the TYPO3-project-5_0-general
mailing list