[RFC|Merged] Request Class

These requests for comments/change have lead to an implemented feature that has been successfully merged into the 3.1/Ascraeus branch. Everything listed in this forum will be available in phpBB 3.1.
User avatar
naderman
Product Manager
Product Manager
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC|Merged] Request Class

Post by naderman » Sat Jul 30, 2011 6:28 pm

I think authentication is a rather special case, so I agree with Oleg that if anything we should add something special for the password field, but not change the regular behaviour.

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC|Merged] Request Class

Post by bantu » Mon Aug 01, 2011 1:14 pm

Oleg wrote:How about adding a 'password' (or 'raw') field type which will not be trimmed?
"raw" sounds like a good idea to me.

Edit: But then again "raw" would probably also imply for most people that htmlspecialchars() is not called. Hmm.

User avatar
naderman
Product Manager
Product Manager
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC|Merged] Request Class

Post by naderman » Wed Aug 03, 2011 12:12 am

Well it seems like the described case would actually not want to have htmlspecialchars applied either. The difference there is that it's reversible. So we don't necessarily need to provide a version without htmlspecialchars at all.

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Merged] Request Class

Post by igorw » Wed Aug 03, 2011 8:37 am

If we call it "raw" then I would omit the htmlspecialchars too. It wouldn't be too hard to modify the newly introduced $html_encode = true to be $raw = false:

https://github.com/phpbb/phpbb3/pull/296

User avatar
naderman
Product Manager
Product Manager
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC|Merged] Request Class

Post by naderman » Wed Aug 03, 2011 3:38 pm

I'd rather we didn't allow omitting htmlspecialchars that easily. This function could easily be abused. Having to call htmlspecialchars_decode explicity, seems like more of a deterrant to actually do this.

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC|Merged] Request Class

Post by bantu » Thu Aug 04, 2011 12:33 pm

naderman wrote:I'd rather we didn't allow omitting htmlspecialchars that easily. This function could easily be abused. Having to call htmlspecialchars_decode explicity, seems like more of a deterrant to actually do this.
I agree and that's exactly what the edit in viewtopic.php?p=228285#p228285 was referring to.

Post Reply