Manual.rst: security hints, T3 Setup best practice, text input retype, charactercountwrap.

Config.qfq: central defaults for DATA_MATH, DATA_ERROR

Manual.rst: security hints, T3 Setup best practice, text input retype, charactercountwrap.
Config.qfq: central defaults for DATA_MATH, DATA_ERROR
a8074eb6 · Carsten Rose · 4248a43f · a8074eb6 · a8074eb6 · a8074eb6
Commit a8074eb6 authored Jul 01, 2018 by Carsten Rose
--- a/extension/Documentation/Manual.rst
+++ b/extension/Documentation/Manual.rst
@@ -1201,7 +1201,8 @@ affected by SQL injection. To prevent SQL injection, every variable is by defaul

 * Variables passed by the client (=Browser) are untrusted and use the default sanitize class 'digit' (if nothing else is
  specified). If alpha characters are submitted, the content violates `digit` and becomes therefore
-  `!!<name of sanitize class>!!` - there is no error message. Best is to always use SIP or digits.
+  `!!<name of sanitize class>!!` - there is no error message. Best is to always use SIP (value is trustful) or at least
+  digits for GET (=client) parameter (user might change those and therefore those are *not* trustful).

 Get Parameter
 -------------
@@ -1282,7 +1283,7 @@ E.g. for Apache set a htaccess rule: ::
 To offer download of those files, use the reserved columnname '_download' (see `download`_) or variants.

 **Important**: To protect the installation against executing of uploaded malicious script code, disable PHP for the final upload
-directory. E.g. `fileadmin`: ::
+directory. E.g. `fileadmin` (Apache): ::

 		<Directory "/var/www/html/fileadmin">
 			php_admin_flag engine Off
@@ -1294,11 +1295,20 @@ File upload
 -----------

 By default the mime type of every uploaded file is checked against a white list of allowed mime types. The mime type of
-a file can be (easily) faked by an attacker. This check is good to handle regular user file upload for specific file types. To
-prevent attacks against uploading and executing malicous code this won't help.
+a file can be (easily) faked by an attacker. This check is good to handle regular user file upload for specific file types
+but won't help to prevent attacks against uploading and executing malicous code.

 Instead prohibit the execution of user contributed files by the webserver config (`SecureDirectFileAccess`_).

+Typo3 Setup - best practice
+---------------------------
+
+* Activate notification emails for every BE login (if there are only few BE users). In case the backend has been hacked,
+  unusual login's (time or username) will appear: ::
+
+        [BE][warning_email_addr] = <your email>
+        [BE][warning_mode] = 1
+
 .. _`store`:

 Store
@@ -2945,10 +2955,12 @@ Type: text
 * *FormElement.parameter*:

  * *retype* = 1 (optional): Current input element will be rendered twice. The form can only submitted if both elements are equal.
-  * *retypeLabel* = <text> (optional): The label of the second element.
-  * *retypeNote* = <text> (optional): The note of the second element.
-  * *characterCountWrap* = <text1>|<text2> (optional). Displays a character counter below the input/textarea element. If
-    `text1` / `text2` is missing, just display `<current>/</max>`. Customization: `characterCountWrap=<div class=qfq-cc-style>Count: |</div>`
+
+    * *retypeLabel* = <text> (optional): The label of the second element.
+    * *retypeNote* = <text> (optional): The note of the second element.
+
+  * *characterCountWrap* = <div class="qfq-cc-style">Count: |</div>` (optional).
+    Displays a character counter below the input/textarea element.
  * Also check the  :ref:`fe-parameter-attributes` *data-...-error* to customize error messages shown by the validator.
  * *hideZero* = 0|1 (optional): `with hideZero=1` a '0' in the value will be replaced by an empty string.
  * *emptyMeansNull* = [0|1] (optional): with `emptyMeansNull` or `emptyMeansNull=1` a NULL value will be written if

--- a/extension/ext_conf_template.txt
+++ b/extension/ext_conf_template.txt
@@ -117,14 +117,14 @@ editFormPage = form
 # cat=form-config/config; type=string; label=Form data pattern error message:QFQ default is pattern dependent - leave this empty to use pattern specific messages. Customizable error message used in validator.js. 'pattern' violation.
 formDataPatternError =

-# cat=form-config/config; type=string; label=Form data required error message:Default is 'required error'. Customizable error message used in validator.js. 'required' violation.
+# cat=form-config/config; type=string; label=Form data required error message:Default is 'data required'. Customizable error message used in validator.js. 'required' violation.
 formDataRequiredError =

-# cat=form-config/config; type=string; label=Form data match error message:Default is 'match error'. Customizable error message used in validator.js. 'match' violation. Typically used to ensure that two given emails or passwords are identically.
+# cat=form-config/config; type=string; label=Form data match error message:Default is 'Fields do not match'. Customizable error message used in validator.js. 'match' violation. Typically used to ensure that two given emails or passwords are identically.
 formDataMatchError =

-# cat=form-config/config; type=string; label=Form data error message:Default is 'error'. Customizable error message used in validator.js. generic violation.
-formDataError = error
+# cat=form-config/config; type=string; label=Form data error message:Default is 'Error'. Customizable error message used in validator.js. generic violation.
+formDataError =

 # cat=form-config/config; type=boolean; label=Show record-id in form title:Default is off (0). If on (1), append the current record id on the title. New records get '(new)'.
 showIdInFormTitle = 0

--- a/extension/qfq/qfq/Constants.php
+++ b/extension/qfq/qfq/Constants.php
@@ -828,8 +828,8 @@ const F_FE_DATA_MATCH_ERROR = 'data-match-error'; // contains id of the sibling
 const F_FE_DATA_ERROR = 'data-error';

 const F_FE_DATA_PATTERN_ERROR_DEFAULT = 'pattern error'; // Attention: the default is also defined in ext_conf_template.txt
-const F_FE_DATA_REQUIRED_ERROR_DEFAULT = 'required error'; // Attention: the default is also defined in ext_conf_template.txt
-const F_FE_DATA_MATCH_ERROR_DEFAULT = 'match error'; // Attention: the default is also defined in ext_conf_template.txt
+const F_FE_DATA_REQUIRED_ERROR_DEFAULT = 'data required'; // Attention: the default is also defined in ext_conf_template.txt
+const F_FE_DATA_MATCH_ERROR_DEFAULT = 'fields do not'; // Attention: the default is also defined in ext_conf_template.txt

 const F_PARAMETER = 'parameter';    // valid for F_ and FE_


--- a/extension/qfq/qfq/store/Config.php
+++ b/extension/qfq/qfq/store/Config.php
@@ -320,7 +320,8 @@ class Config {
            SYSTEM_THUMBNAIL_DIR_PUBLIC => SYSTEM_THUMBNAIL_DIR_PUBLIC_DEFAULT,

            F_FE_DATA_REQUIRED_ERROR => F_FE_DATA_REQUIRED_ERROR_DEFAULT,
-
+            F_FE_DATA_MATCH_ERROR => F_FE_DATA_MATCH_ERROR_DEFAULT,
+            F_FE_DATA_ERROR => 'error',
        ];

        // To let run legacy code

--- a/extension/qfq/tests/phpunit/StoreTest.php
+++ b/extension/qfq/tests/phpunit/StoreTest.php
@@ -376,10 +376,10 @@ EOT;
        $body .= PHP_EOL . SYSTEM_FORM_BS_LABEL_COLUMNS . ' = 4';
        $body .= PHP_EOL . SYSTEM_FORM_BS_INPUT_COLUMNS . ' = 5';
        $body .= PHP_EOL . SYSTEM_FORM_BS_NOTE_COLUMNS . ' = 6';
-        $body .= PHP_EOL . SYSTEM_FORM_DATA_PATTERN_ERROR . ' = pattern error';
-        $body .= PHP_EOL . SYSTEM_FORM_DATA_REQUIRED_ERROR . ' = required error';
-        $body .= PHP_EOL . SYSTEM_FORM_DATA_MATCH_ERROR . ' = match error';
-        $body .= PHP_EOL . SYSTEM_FORM_DATA_ERROR . ' = error';
+        $body .= PHP_EOL . SYSTEM_FORM_DATA_PATTERN_ERROR . ' = Pattern error';
+        $body .= PHP_EOL . SYSTEM_FORM_DATA_REQUIRED_ERROR . ' = Required error';
+        $body .= PHP_EOL . SYSTEM_FORM_DATA_MATCH_ERROR . ' = Fields do not match';
+        $body .= PHP_EOL . SYSTEM_FORM_DATA_ERROR . ' = Error';
        $body .= PHP_EOL . SYSTEM_CSS_CLASS_QFQ_FORM . ' = main-class';
        $body .= PHP_EOL . SYSTEM_CSS_CLASS_QFQ_FORM_PILL . ' = pill-class';
        $body .= PHP_EOL . SYSTEM_CSS_CLASS_QFQ_FORM_BODY . ' = body-class';
@@ -387,10 +387,10 @@ EOT;
        $expect[F_BS_LABEL_COLUMNS] = '4';
        $expect[F_BS_INPUT_COLUMNS] = '5';
        $expect[F_BS_NOTE_COLUMNS] = '6';
-        $expect[F_FE_DATA_PATTERN_ERROR] = 'pattern error';
-        $expect[F_FE_DATA_REQUIRED_ERROR] = 'required error';
-        $expect[F_FE_DATA_MATCH_ERROR] = 'match error';
-        $expect[F_FE_DATA_ERROR] = 'error';
+        $expect[F_FE_DATA_PATTERN_ERROR] = 'Pattern error';
+        $expect[F_FE_DATA_REQUIRED_ERROR] = 'Required error';
+        $expect[F_FE_DATA_MATCH_ERROR] = 'Fields do not match error';
+        $expect[F_FE_DATA_ERROR] = 'Error';
        $expect[F_CLASS] = 'main-class';
        $expect[F_CLASS_PILL] = 'pill-class';
        $expect[F_CLASS_BODY] = 'body-class';