Commit 69048edd authored by Carsten  Rose's avatar Carsten Rose

Manual.rst: add doc for cleaned 'type' and 'L' parameter.

parent f5234274
......@@ -1090,10 +1090,10 @@ Sanitize class
Values in STORE_CLIENT *C* (Client=Browser) and STORE_FORM *F* (Form, HTTP 'post') are checked against a
sanitize class. Values from other stores are not checked against any sanitize class.
* If a value violates the specific sanitize class, the value becomes `!!<name of sanitize class>!!`. E.g. `!!gigit!!`.
* If a value violates the specific sanitize class, the value becomes `!!<name of sanitize class>!!`. E.g. `!!digit!!`.
* Variables get by default the sanitize class defined in the corresponding `FormElement`. If not defined,
the default class is 'digit'.
* A default sanitize class can be overwritten by individual definition: *{{a:C:all}}*
* A default sanitize class can be overwritten by individual definition: *{{a:C:alnumx}}*
For QFQ variables and FormElements:
......@@ -1114,14 +1114,14 @@ For QFQ variables and FormElements:
Only in FormElement:
+------------------+------+-------+-----------------------------------------------------------------------------------------+
| **auto** | Form | | Only supported for FormElements. Most suitable checktype is dynamically evaluated based |
| | | | native column definition, the FormElement type, and other info. See below for details. |
+------------------+------+-------+-----------------------------------------------------------------------------------------+
| **email** | Form | Query | [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,} |
+------------------+------+-------+-----------------------------------------------------------------------------------------+
| **pattern** | Form | | Compares the value against a regexp. |
+------------------+------+-------+-----------------------------------------------------------------------------------------+
+------------------+------+-------+-------------------------------------------------------------------------------------------+
| **auto** | Form | | Only supported for FormElements. Most suitable checktype is dynamically evaluated based |
| | | | on native column definition, the FormElement type, and other info. See below for details. |
+------------------+------+-------+-------------------------------------------------------------------------------------------+
| **email** | Form | Query | [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,} |
+------------------+------+-------+-------------------------------------------------------------------------------------------+
| **pattern** | Form | | Compares the value against a regexp. |
+------------------+------+-------+-------------------------------------------------------------------------------------------+
Rules for CheckType Auto (by priority):
......@@ -1171,18 +1171,18 @@ Security
All values passed to QFQ will be:
* Checked against max. length and allowed content, on the client and on the server side. On the server side, the check
happens before any further processing. The 'length' and 'allowed' content is specified per `FormElement`. 'alnumx' is the
default allowed content for those. Violating the rules will stop the 'save record' process (Form) or result in an empty value (Report).
happens before any further processing. The 'length' and 'allowed' content is specified per `FormElement`. 'digit' or
'alnumx' is the default. Violating the rules will stop the 'save record' process (Form) or result in an empty
value (Report). If a variable is not replaced, check the default sanitize class.
* Only elements defined in the `Form` definition or requested by `Report` will be processed.
* UTF8 normalized (normalizer::normalize) to unify different ways of composing characters. It's more a database interest
* UTF8 normalized (normalizer::normalize) to unify different ways of composing characters. It's more a database interest,
to work with unified data.
SQL statements are typically fired as `prepared statements` with separated variables.
Further *custom* SQL statements will be defined by the webmaster - those do not use `prepared statements` and might be
affected by SQL injection. To prevent SQL injection, every variable can be escaped with `mysqli::real_escape_string` by
defining the `escape` modifier `m`.
affected by SQL injection. To prevent SQL injection, every variable is by default escaped with `mysqli::real_escape_string`.
**QFQ notice**:
......@@ -1197,7 +1197,12 @@ Get Parameter
* GET parameter might contain urlencoded content (%xx). Therefore all GET parameter will be processed by 'urldecode()'.
As a result a text like '%nn' in GET variables will always be decoded. It's not possible to transfer '%nn' itself.
* GET variables are limited to securityGetMaxLength chars - any violation will stop QFQ.
* GET values are limited to securityGetMaxLength (extension-manager-qfq-configuration_) chars - any violation will
stop QFQ. Individual exceptions are defined via ExceptionMaxLength_.
* GET parameter 'type' and 'L' might affected by (T3, configuration dependent) cache poisoning. If they contain non digit
values, only the first character is used (if this is a digit) or completely cleaned (else).
Post Parameter
--------------
......@@ -1248,8 +1253,8 @@ Variables needed by Typo3 remains on the link and are not 'sip-encoded'.
.. _`SecureDirectFileAccess`:
Secure direct fileaccess
------------------------
Secure direct file access
-------------------------
If the application uploads files, mostly it's not necessary and often a security issue, to offer a direct download of
the uploaded files. Best is to create a directory, e.g. `<site path>/fileadmin/protected` and deny direct access via webbrowser to it.
......@@ -4155,7 +4160,7 @@ QFQ content record::
head = <form action='#' method='get'><input type='hidden' name='id' value='{{pageId:T}}'>Search: <input type='text' name='search' value='{{search:CE:all}}'><input type='submit' value='Submit'></form>
}
# SQL statement will find and list all the relevant forms - be careful not to open a cross site scripting door: the parameter 'search' needs to be sanatized.
# SQL statement will find and list all the relevant forms - be careful not to open a cross site scripting door: the parameter 'search' needs to be sanitized.
20 {
sql = SELECT CONCAT('?detail&form=form&r=', f.id) AS _Pagee, f.id, f.name, f.title
FROM Form AS f
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment