Commit 02bf1183 authored by Carsten  Rose's avatar Carsten Rose
Browse files

#5022 / Variable violates sanatize class: 'msg' instead of empty string - new...

#5022 / Variable violates sanatize class: 'msg' instead of empty string - new identifier "!!<sanitize class>!!"
parent f592392c
...@@ -951,17 +951,15 @@ specific locations in the text will be (automatically by QFQ) replaced by values ...@@ -951,17 +951,15 @@ specific locations in the text will be (automatically by QFQ) replaced by values
Sanitize class Sanitize class
-------------- --------------
* If a value violates a parameter sanitize class, the value becomes an empty string. Values in STORE_CLIENT *C* (Client=Browser) and STORE_FORM *F* (Form, HTTP 'post') will be checked against a sanitize class.
* Per store there is a default if sanitizing applies and if yes, which class. Values from other stores are not checked against any sanitize class.
* Store *C* (Client=Browser) and store *F* (Form) will be sanitized with 'digit'.
* If a value violates the specific sanitize class, the value becomes `!!<name of sanitize class>!!`. E.g. `!!gigit!!`.
* All `predefined-variable-names`_ have a specific default sanitize class. For these variables, it's not necessary * All `predefined-variable-names`_ have a specific default sanitize class. For these variables, it's not necessary
to specify a sanitize class. to specify an individual sanitize class.
* All other variables (Store: C, F) get by default the sanitize class defined in the corresponding form. If not defined, * All other variables get by default the sanitize class defined in the corresponding `FormElement`. If not defined,
the default class is 'digit'. the default class is 'digit'.
* A default sanitize class can be overwritten by individual definition: *{{a:C:all}}* * A default sanitize class can be overwritten by individual definition: *{{a:C:all}}*
* If there is a sanitized class specified, it applies to all given stores.
For QFQ variables and FormElements: For QFQ variables and FormElements:
...@@ -1043,8 +1041,8 @@ defining the `escape` modifier `m`. ...@@ -1043,8 +1041,8 @@ defining the `escape` modifier `m`.
**QFQ notice**: **QFQ notice**:
* Variables passed by the client (=Browser) are untrusted and use the default sanitize class 'digit' (if nothing else is * Variables passed by the client (=Browser) are untrusted and use the default sanitize class 'digit' (if nothing else is
specified). If alpha characters are submitted, the content violates `digit` and becomes therefore empty - there is no specified). If alpha characters are submitted, the content violates `digit` and becomes therefore
error message. Best is to always use SIP or digits. `!!<name of sanitize class>!!` - there is no error message. Best is to always use SIP or digits.
Get Parameter Get Parameter
------------- -------------
......
...@@ -416,10 +416,10 @@ class Store { ...@@ -416,10 +416,10 @@ class Store {
/** /**
* Cycles through all stores in $useStore. * Cycles through all stores in $useStore.
* First match will return the found value. * First match will return the found value.
* During cycling: fill cache with requestet value and sanitize raw value. * During cycling: fill cache with requested value and sanitize raw value.
* *
* @param string $key * @param string $key
* @param string $useStores f.e.: 'FSRD' * @param string $useStores f.e.: 'FSRVD'
* @param string $sanitizeClass * @param string $sanitizeClass
* @param string $foundInStore Returns the name of the store where $key has been found. If $key is not found, * @param string $foundInStore Returns the name of the store where $key has been found. If $key is not found,
* return ''. * return ''.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment