From 69048edd50930866c3d6dbf92beaecaa932a4492 Mon Sep 17 00:00:00 2001
From: Carsten  Rose <carsten.rose@math.uzh.ch>
Date: Sun, 6 May 2018 13:36:38 +0200
Subject: [PATCH] Manual.rst: add doc for cleaned 'type' and 'L' parameter.

---
 extension/Documentation/Manual.rst | 43 +++++++++++++++++-------------
 1 file changed, 24 insertions(+), 19 deletions(-)

diff --git a/extension/Documentation/Manual.rst b/extension/Documentation/Manual.rst
index b56ce14be..d343f6f85 100644
--- a/extension/Documentation/Manual.rst
+++ b/extension/Documentation/Manual.rst
@@ -1090,10 +1090,10 @@ Sanitize class
 Values in STORE_CLIENT *C* (Client=Browser) and STORE_FORM *F* (Form, HTTP 'post') are checked against a
 sanitize class. Values from other stores are not checked against any sanitize class.
 
-* If a value violates the specific sanitize class, the value becomes `!!<name of sanitize class>!!`. E.g. `!!gigit!!`.
+* If a value violates the specific sanitize class, the value becomes `!!<name of sanitize class>!!`. E.g. `!!digit!!`.
 * Variables get by default the sanitize class defined in the corresponding `FormElement`. If not defined,
   the default class is 'digit'.
-* A default sanitize class can be overwritten by individual definition: *{{a:C:all}}*
+* A default sanitize class can be overwritten by individual definition: *{{a:C:alnumx}}*
 
 For QFQ variables and FormElements:
 
@@ -1114,14 +1114,14 @@ For QFQ variables and FormElements:
 
 Only in FormElement:
 
-+------------------+------+-------+-----------------------------------------------------------------------------------------+
-| **auto**         | Form |       | Only supported for FormElements. Most suitable checktype is dynamically evaluated based |
-|                  |      |       | native column definition, the FormElement type, and other info. See below for details.  |
-+------------------+------+-------+-----------------------------------------------------------------------------------------+
-| **email**        | Form | Query | [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}                                         |
-+------------------+------+-------+-----------------------------------------------------------------------------------------+
-| **pattern**      | Form |       | Compares the value against a regexp.                                                    |
-+------------------+------+-------+-----------------------------------------------------------------------------------------+
++------------------+------+-------+-------------------------------------------------------------------------------------------+
+| **auto**         | Form |       | Only supported for FormElements. Most suitable checktype is dynamically evaluated based   |
+|                  |      |       | on native column definition, the FormElement type, and other info. See below for details. |
++------------------+------+-------+-------------------------------------------------------------------------------------------+
+| **email**        | Form | Query | [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}                                           |
++------------------+------+-------+-------------------------------------------------------------------------------------------+
+| **pattern**      | Form |       | Compares the value against a regexp.                                                      |
++------------------+------+-------+-------------------------------------------------------------------------------------------+
 
 
 Rules for CheckType Auto (by priority):
@@ -1171,18 +1171,18 @@ Security
 All values passed to QFQ will be:
 
 * Checked against max. length and allowed content, on the client and on the server side. On the server side, the check
-  happens before any further processing. The 'length' and 'allowed' content is specified per `FormElement`. 'alnumx' is the
-  default allowed content for those. Violating the rules will stop the 'save record' process (Form) or result in an empty value (Report).
+  happens before any further processing. The 'length' and 'allowed' content is specified per `FormElement`. 'digit' or
+  'alnumx' is the default. Violating the rules will stop the 'save record' process (Form) or result in an empty
+  value (Report). If a variable is not replaced, check the default sanitize class.
 
 * Only elements defined in the `Form` definition or requested by `Report` will be processed.
 
-* UTF8 normalized (normalizer::normalize) to unify different ways of composing characters. It's more a database interest
+* UTF8 normalized (normalizer::normalize) to unify different ways of composing characters. It's more a database interest,
   to work with unified data.
 
 SQL statements are typically fired as `prepared statements` with separated variables.
 Further *custom* SQL statements will be defined by the webmaster - those do not use `prepared statements` and might be
-affected by SQL injection. To prevent SQL injection, every variable can be escaped with `mysqli::real_escape_string` by
-defining the `escape` modifier `m`.
+affected by SQL injection. To prevent SQL injection, every variable is by default escaped with `mysqli::real_escape_string`.
 
 **QFQ notice**:
 
@@ -1197,7 +1197,12 @@ Get Parameter
 
 * GET parameter might contain urlencoded content (%xx). Therefore all GET parameter will be processed by 'urldecode()'.
   As a result a text like '%nn' in GET variables will always be decoded. It's not possible to transfer '%nn' itself.
-* GET variables are limited to securityGetMaxLength chars - any violation will stop QFQ.
+
+* GET values are limited to securityGetMaxLength (extension-manager-qfq-configuration_) chars - any violation will
+  stop QFQ. Individual exceptions are defined via ExceptionMaxLength_.
+
+* GET parameter 'type' and 'L' might affected by (T3, configuration dependent) cache poisoning. If they contain non digit
+  values, only the first character is used (if this is a digit) or completely cleaned (else).
 
 Post Parameter
 --------------
@@ -1248,8 +1253,8 @@ Variables needed by Typo3 remains on the link and are not 'sip-encoded'.
 
 .. _`SecureDirectFileAccess`:
 
-Secure direct fileaccess
-------------------------
+Secure direct file access
+-------------------------
 
 If the application uploads files, mostly it's not necessary and often a security issue, to offer a direct download of
 the uploaded files. Best is to create a directory, e.g. `<site path>/fileadmin/protected` and deny direct access via webbrowser to it.
@@ -4155,7 +4160,7 @@ QFQ content record::
     head = <form action='#' method='get'><input type='hidden' name='id' value='{{pageId:T}}'>Search: <input type='text' name='search' value='{{search:CE:all}}'><input type='submit' value='Submit'></form>
   }
 
-  # SQL statement will find and list all the relevant forms - be careful not to open a cross site scripting door: the parameter 'search' needs to be sanatized.
+  # SQL statement will find and list all the relevant forms - be careful not to open a cross site scripting door: the parameter 'search' needs to be sanitized.
   20 {
     sql = SELECT CONCAT('?detail&form=form&r=', f.id) AS _Pagee, f.id, f.name, f.title
               FROM Form AS f
-- 
GitLab