Commit 072c1960 authored by Carsten  Rose's avatar Carsten Rose
Browse files

F5112 - Add incompatibility warning for encode specialchar and checkType...

F5112 - Add incompatibility warning for encode specialchar and checkType allbut… - change: no warning, allow '&'. This makes more sense than throwing a warning and forcing the use to switch to encoding='NONE'.
parent b97bbc72
......@@ -1251,7 +1251,7 @@ For QFQ variables and FormElements:
+------------------+------+-------+-----------------------------------------------------------------------------------------+
| **numerical** | Form | Query | [0-9.-+] |
+------------------+------+-------+-----------------------------------------------------------------------------------------+
| **allbut** | Form | Query | All characters allowed, but not [ ] { } % & \ #. The used regexp: '^[^\[\]{}%&\\#]+$', |
| **allbut** | Form | Query | All characters allowed, but not [ ] { } % \ #. The used regexp: '^[^\[\]{}%\\#]+$', |
+------------------+------+-------+-----------------------------------------------------------------------------------------+
| **all** | Form | Query | no sanitizing |
+------------------+------+-------+-----------------------------------------------------------------------------------------+
......@@ -2644,14 +2644,14 @@ Fields:
| | 'beforeInsert', 'beforeUpdate', 'beforeDelete', 'afterLoad', 'afterSave', 'afterInsert', 'afterUpdate', 'afterDelete', |
| | 'sendMail') |
+---------------------+-----------------------------+-----------------------------------------------------------------------------------------------------+
|Encode | 'none', 'specialchar' | With 'specialchar' (default) the chars <>"'& will be encoded to their htmlentity. _field-encode |
|Encode | 'none', 'specialchar' | With 'specialchar' (default) the chars <>"'& will be encoded to their htmlentity. _`field-encode` |
+---------------------+-----------------------------+-----------------------------------------------------------------------------------------------------+
|Check Type | enum('auto', 'alnumx', | See: `sanitize-class`_ |
| | 'digit', 'numerical', | |
| | 'email', 'pattern', | |
| | 'allbut', 'all') | |
+---------------------+-----------------------------+-----------------------------------------------------------------------------------------------------+
|Check Pattern | 'regexp' | _`field-checkpattern`: If $checkType=='pattern': pattern to match |
|Check Pattern | 'regexp' | _`field-checktype`: If $checkType=='pattern': pattern to match |
+---------------------+-----------------------------+-----------------------------------------------------------------------------------------------------+
|Order | string | Display order of *FormElements* ('order' is a reserved keyword) _`field-ord` |
+---------------------+-----------------------------+-----------------------------------------------------------------------------------------------------+
......
......@@ -28,7 +28,7 @@ class Sanitize {
SANITIZE_ALLOW_NUMERICAL => '^[\d.+-]*$',
SANITIZE_ALLOW_EMAIL => '^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$',
SANITIZE_ALLOW_PATTERN => '',
SANITIZE_ALLOW_ALLBUT => '^[^\[\]{}%&\\\\#]*$',
SANITIZE_ALLOW_ALLBUT => '^[^\[\]{}%\\\\#]*$',
SANITIZE_ALLOW_ALL => '.*',
];
......@@ -38,7 +38,7 @@ class Sanitize {
SANITIZE_ALLOW_NUMERICAL => 'Allowed characters: 0...9 and .+-',
SANITIZE_ALLOW_EMAIL => 'Requested format: string@domain.tld',
SANITIZE_ALLOW_PATTERN => 'Please match the requested format',
SANITIZE_ALLOW_ALLBUT => 'Forbidden characters: ^[]{}%&\#',
SANITIZE_ALLOW_ALLBUT => 'Forbidden characters: ^[]{}%\#',
SANITIZE_ALLOW_ALL => '',
];
......
......@@ -208,8 +208,8 @@ class SanitizeTest extends TestCase {
/**
*/
public function testSanitizeExceptionAllBut() {
$bad = "[]{}%&\\#";
$good = 'abCD01`~!@$^*()_+=-|":;.,<>/?\'';
$bad = "[]{}%\\#";
$good = 'abCD01`~&!@$^*()_+=-|":;.,<>/?\'';
// Single
$this->assertEquals('!!allbut!!', Sanitize::sanitize('[', SANITIZE_ALLOW_ALLBUT), "SANITIZE_ALLOW_ALLBUT fails");
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment