Commit 02bf1183 authored by Carsten  Rose's avatar Carsten Rose
Browse files

#5022 / Variable violates sanatize class: 'msg' instead of empty string - new...

#5022 / Variable violates sanatize class: 'msg' instead of empty string - new identifier "!!<sanitize class>!!"
parent f592392c
......@@ -951,17 +951,15 @@ specific locations in the text will be (automatically by QFQ) replaced by values
Sanitize class
--------------
* If a value violates a parameter sanitize class, the value becomes an empty string.
* Per store there is a default if sanitizing applies and if yes, which class.
* Store *C* (Client=Browser) and store *F* (Form) will be sanitized with 'digit'.
Values in STORE_CLIENT *C* (Client=Browser) and STORE_FORM *F* (Form, HTTP 'post') will be checked against a sanitize class.
Values from other stores are not checked against any sanitize class.
* If a value violates the specific sanitize class, the value becomes `!!<name of sanitize class>!!`. E.g. `!!gigit!!`.
* All `predefined-variable-names`_ have a specific default sanitize class. For these variables, it's not necessary
to specify a sanitize class.
* All other variables (Store: C, F) get by default the sanitize class defined in the corresponding form. If not defined,
to specify an individual sanitize class.
* All other variables get by default the sanitize class defined in the corresponding `FormElement`. If not defined,
the default class is 'digit'.
* A default sanitize class can be overwritten by individual definition: *{{a:C:all}}*
* If there is a sanitized class specified, it applies to all given stores.
For QFQ variables and FormElements:
......@@ -1043,8 +1041,8 @@ defining the `escape` modifier `m`.
**QFQ notice**:
* Variables passed by the client (=Browser) are untrusted and use the default sanitize class 'digit' (if nothing else is
specified). If alpha characters are submitted, the content violates `digit` and becomes therefore empty - there is no
error message. Best is to always use SIP or digits.
specified). If alpha characters are submitted, the content violates `digit` and becomes therefore
`!!<name of sanitize class>!!` - there is no error message. Best is to always use SIP or digits.
Get Parameter
-------------
......
......@@ -416,10 +416,10 @@ class Store {
/**
* Cycles through all stores in $useStore.
* First match will return the found value.
* During cycling: fill cache with requestet value and sanitize raw value.
* During cycling: fill cache with requested value and sanitize raw value.
*
* @param string $key
* @param string $useStores f.e.: 'FSRD'
* @param string $useStores f.e.: 'FSRVD'
* @param string $sanitizeClass
* @param string $foundInStore Returns the name of the store where $key has been found. If $key is not found,
* return ''.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment