Development Discussion Board

Postby **naderman** » Sat Jul 30, 2011 6:28 pm

I think authentication is a rather special case, so I agree with Oleg that if anything we should add something special for the password field, but not change the regular behaviour.

Postby **bantu** » Mon Aug 01, 2011 1:14 pm

Oleg wrote:How about adding a 'password' (or 'raw') field type which will not be trimmed?

"raw" sounds like a good idea to me.

Edit: But then again "raw" would probably also imply for most people that htmlspecialchars() is not called. Hmm.

Postby **naderman** » Wed Aug 03, 2011 12:12 am

Well it seems like the described case would actually not want to have htmlspecialchars applied either. The difference there is that it's reversible. So we don't necessarily need to provide a version without htmlspecialchars at all.

Postby **igorw** » Wed Aug 03, 2011 8:37 am

If we call it "raw" then I would omit the htmlspecialchars too. It wouldn't be too hard to modify the newly introduced $html_encode = true to be $raw = false:

https://github.com/phpbb/phpbb3/pull/296

Postby **naderman** » Wed Aug 03, 2011 3:38 pm

I'd rather we didn't allow omitting htmlspecialchars that easily. This function could easily be abused. Having to call htmlspecialchars_decode explicity, seems like more of a deterrant to actually do this.

Postby **bantu** » Thu Aug 04, 2011 12:33 pm

naderman wrote:I'd rather we didn't allow omitting htmlspecialchars that easily. This function could easily be abused. Having to call htmlspecialchars_decode explicity, seems like more of a deterrant to actually do this.

I agree and that's exactly what the edit in viewtopic.php?p=228285#p228285 was referring to.

Development Discussion Board

[RFC|Merged] Request Class

Re: [RFC|Merged] Request Class

Re: [RFC|Merged] Request Class

Re: [RFC|Merged] Request Class

Re: [RFC|Merged] Request Class

Re: [RFC|Merged] Request Class

Re: [RFC|Merged] Request Class

Who is online

Loading