[ic] Form variable names with dashes don't work with profile checks

Jon Jensen jon at endpoint.com
Fri May 27 15:05:04 UTC 2016

On Fri, 27 May 2016, Peter wrote:

> It seems that if you have a form variable with dashes in it (not
> underscores) and attempt to run a profile check on it, do_check() parses
> out only that part of the variable name after the final dash.  This is
> due to the regexp which parses the profile line in do_check():
>                elsif ($parameter =~ /(\w+)[\s=]+(.*)/) {
> ...since dash is not included in word characters it won't parse out as
> part of the profile name.
> Is there any reason why the above line can't be changed to:
>                elsif ($parameter =~ /([\w-]+)[\s=]+(.*)/) {
> ...and should we allow even additional characters?
> The reason this is coming up is because I'm adding a profile check for
> recaptchas, and the recaptcha system uses "g-recaptcha-response" for the
> form name.

Hmm. That makes sense, and I'm kind of surprised we haven't run into other 
similar situations before, but maybe people have just worked around it by 
doing form validation other ways if the form parameters didn't match ^\w+$ 
instead of worrying about this.

It feels a little risky to mess with this part of the code at all since 
there aren't many profile check tests in the test catalog, so I would 
suggest we just additionally allow the - character you need, and nothing 
more for now.


Jon Jensen
End Point Corporation

More information about the interchange-users mailing list