[ic] Form variable names with dashes don't work with profile checks
Mike Heins
mike at heins.com
Fri May 27 15:16:19 UTC 2016
Quoting Jon Jensen (jon at endpoint.com):
> On Fri, 27 May 2016, Peter wrote:
>
> >It seems that if you have a form variable with dashes in it (not
> >underscores) and attempt to run a profile check on it, do_check() parses
> >out only that part of the variable name after the final dash. This is
> >due to the regexp which parses the profile line in do_check():
> >
> > elsif ($parameter =~ /(\w+)[\s=]+(.*)/) {
> >
> >...since dash is not included in word characters it won't parse out as
> >part of the profile name.
> >
> >Is there any reason why the above line can't be changed to:
> >
> > elsif ($parameter =~ /([\w-]+)[\s=]+(.*)/) {
> >
> >...and should we allow even additional characters?
> >
> >The reason this is coming up is because I'm adding a profile check for
> >recaptchas, and the recaptcha system uses "g-recaptcha-response" for the
> >form name.
>
> Hmm. That makes sense, and I'm kind of surprised we haven't run into
> other similar situations before, but maybe people have just worked
> around it by doing form validation other ways if the form parameters
> didn't match ^\w+$ instead of worrying about this.
>
> It feels a little risky to mess with this part of the code at all
> since there aren't many profile check tests in the test catalog, so
> I would suggest we just additionally allow the - character you need,
> and nothing more for now.
We could also make it a regex pattern that can be changed via a variable or
directive.
--
Mike Heins
End Point -- Expert Internet Consulting http://www.endpoint.com/
phone +1.765.253.4194 <mikeh at endpoint.com>
Growth is the only evidence of life. -- John Henry Newman
More information about the interchange-users
mailing list