[RFC|Merged] Request Class

These requests for comments/change have lead to an implemented feature that has been successfully merged into the 3.1/Ascraeus branch. Everything listed in this forum will be available in phpBB 3.1.
User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Berlin, Germany
Contact:

Re: [RFC|Merged] Request Class

Post by naderman »

I think authentication is a rather special case, so I agree with Oleg that if anything we should add something special for the password field, but not change the regular behaviour.

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC|Merged] Request Class

Post by bantu »

Oleg wrote:How about adding a 'password' (or 'raw') field type which will not be trimmed?
"raw" sounds like a good idea to me.

Edit: But then again "raw" would probably also imply for most people that htmlspecialchars() is not called. Hmm.

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Berlin, Germany
Contact:

Re: [RFC|Merged] Request Class

Post by naderman »

Well it seems like the described case would actually not want to have htmlspecialchars applied either. The difference there is that it's reversible. So we don't necessarily need to provide a version without htmlspecialchars at all.

igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Merged] Request Class

Post by igorw »

If we call it "raw" then I would omit the htmlspecialchars too. It wouldn't be too hard to modify the newly introduced $html_encode = true to be $raw = false:

https://github.com/phpbb/phpbb3/pull/296

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Berlin, Germany
Contact:

Re: [RFC|Merged] Request Class

Post by naderman »

I'd rather we didn't allow omitting htmlspecialchars that easily. This function could easily be abused. Having to call htmlspecialchars_decode explicity, seems like more of a deterrant to actually do this.

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC|Merged] Request Class

Post by bantu »

naderman wrote:I'd rather we didn't allow omitting htmlspecialchars that easily. This function could easily be abused. Having to call htmlspecialchars_decode explicity, seems like more of a deterrant to actually do this.
I agree and that's exactly what the edit in viewtopic.php?p=228285#p228285 was referring to.

Post Reply