[TYPO3-core] RFC #9553: Bug: Form validation script jsfunc.validateform.js sometimes fails in IE
Patrick Broens
patrick at netcreators.com
Sun Oct 19 13:30:24 CEST 2008
Hi,
Vladimir Podkovanov wrote:
> Dmitry Dulepov wrote:
>> Hi!
>>
>> Vladimir Podkovanov wrote:
>>> Yes, I think it is good way and IMHO it should be configurable from
>>> content element and in FORM cObj - choosing client side processing,
>>> server side processing or both should be used.
>>
>> Server side processing must be always used. Client side is an
>> addition, it can be switched off. But server side cannot and must not
>> be switched off. This is security measure. It is possible to send form
>> data using even telnet. If there is no server side checks, there is a
>> big security risk for the system.
>>
>
> Hi! by server side processing I meant checking required fields, IMHO it
> should not be security issue if it is switched off. By now it is working
> only client side and could be easily tricked, so forms data can be sent
> without required fields, it is annoying but not security problem.
Currently I'm working on a totally new FORM cObj [1] where server side
validation of the fields will be the default. The project will take
about 4 months. It will be available in the near future.
Patrick
[1] http://wiki.typo3.org/index.php/Form_cObj_for_TYPO3_4.3
>
> BTW what about initial patch, it is no-brainer, could you look and
> commit? Thx :)
More information about the TYPO3-team-core
mailing list