From 02bf1183e9ecd2c2169f9b94bddf5721ec820532 Mon Sep 17 00:00:00 2001
From: Carsten  Rose <carsten.rose@math.uzh.ch>
Date: Sun, 28 Jan 2018 11:16:12 +0100
Subject: [PATCH] #5022 / Variable violates sanatize class: 'msg' instead of
 empty string - new identifier "!!<sanitize class>!!"

---
 extension/Documentation/Manual.rst | 16 +++++++---------
 extension/qfq/qfq/store/Store.php  |  4 ++--
 2 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/extension/Documentation/Manual.rst b/extension/Documentation/Manual.rst
index 260357d3d..fd15f869a 100644
--- a/extension/Documentation/Manual.rst
+++ b/extension/Documentation/Manual.rst
@@ -951,17 +951,15 @@ specific locations in the text will be (automatically by QFQ) replaced by values
 Sanitize class
 --------------
 
-* If a value violates a parameter sanitize class, the value becomes an empty string.
-* Per store there is a default if sanitizing applies and if yes, which class.
-
-  * Store *C* (Client=Browser) and store *F* (Form) will be sanitized with 'digit'.
+Values in STORE_CLIENT *C* (Client=Browser) and STORE_FORM *F* (Form, HTTP 'post') will be checked against a sanitize class.
+Values from other stores are not checked against any sanitize class.
 
+* If a value violates the specific sanitize class, the value becomes `!!<name of sanitize class>!!`. E.g. `!!gigit!!`.
 * All `predefined-variable-names`_ have a specific default sanitize class. For these variables, it's not necessary
-  to specify a sanitize class.
-* All other variables (Store: C, F) get by default the sanitize class defined in the corresponding form. If not defined,
+  to specify an individual sanitize class.
+* All other variables get by default the sanitize class defined in the corresponding `FormElement`. If not defined,
   the default class is 'digit'.
 * A default sanitize class can be overwritten by individual definition: *{{a:C:all}}*
-* If there is a sanitized class specified, it applies to all given stores.
 
 For QFQ variables and FormElements:
 
@@ -1043,8 +1041,8 @@ defining the `escape` modifier `m`.
 **QFQ notice**:
 
 * Variables passed by the client (=Browser) are untrusted and use the default sanitize class 'digit' (if nothing else is
-  specified). If alpha characters are submitted, the content violates `digit` and becomes therefore empty - there is no
-  error message. Best is to always use SIP or digits.
+  specified). If alpha characters are submitted, the content violates `digit` and becomes therefore
+  `!!<name of sanitize class>!!` - there is no error message. Best is to always use SIP or digits.
 
 Get Parameter
 -------------
diff --git a/extension/qfq/qfq/store/Store.php b/extension/qfq/qfq/store/Store.php
index 6d992bc06..87061446d 100644
--- a/extension/qfq/qfq/store/Store.php
+++ b/extension/qfq/qfq/store/Store.php
@@ -416,10 +416,10 @@ class Store {
     /**
      * Cycles through all stores in $useStore.
      * First match will return the found value.
-     * During cycling: fill cache with requestet value and sanitize raw value.
+     * During cycling: fill cache with requested value and sanitize raw value.
      *
      * @param string $key
-     * @param string $useStores f.e.: 'FSRD'
+     * @param string $useStores f.e.: 'FSRVD'
      * @param string $sanitizeClass
      * @param string $foundInStore Returns the name of the store where $key has been found. If $key is not found,
      *                             return ''.
-- 
GitLab