[RFC|Merged] Request Class
Re: [RFC|Merged] Request Class
I think authentication is a rather special case, so I agree with Oleg that if anything we should add something special for the password field, but not change the regular behaviour.
- bantu
- 3.0 Release Manager
- Posts: 557
- Joined: Thu Sep 07, 2006 11:22 am
- Location: Karlsruhe, Germany
- Contact:
Re: [RFC|Merged] Request Class
"raw" sounds like a good idea to me.Oleg wrote:How about adding a 'password' (or 'raw') field type which will not be trimmed?
Edit: But then again "raw" would probably also imply for most people that htmlspecialchars() is not called. Hmm.
Re: [RFC|Merged] Request Class
Well it seems like the described case would actually not want to have htmlspecialchars applied either. The difference there is that it's reversible. So we don't necessarily need to provide a version without htmlspecialchars at all.
Re: [RFC|Merged] Request Class
If we call it "raw" then I would omit the htmlspecialchars too. It wouldn't be too hard to modify the newly introduced $html_encode = true to be $raw = false:
https://github.com/phpbb/phpbb3/pull/296
https://github.com/phpbb/phpbb3/pull/296
Re: [RFC|Merged] Request Class
I'd rather we didn't allow omitting htmlspecialchars that easily. This function could easily be abused. Having to call htmlspecialchars_decode explicity, seems like more of a deterrant to actually do this.
- bantu
- 3.0 Release Manager
- Posts: 557
- Joined: Thu Sep 07, 2006 11:22 am
- Location: Karlsruhe, Germany
- Contact:
Re: [RFC|Merged] Request Class
I agree and that's exactly what the edit in viewtopic.php?p=228285#p228285 was referring to.naderman wrote:I'd rather we didn't allow omitting htmlspecialchars that easily. This function could easily be abused. Having to call htmlspecialchars_decode explicity, seems like more of a deterrant to actually do this.