[ic] Form variable names with dashes don't work with profile checks
Jon Jensen
jon at endpoint.com
Fri May 27 15:05:04 UTC 2016
On Fri, 27 May 2016, Peter wrote:
> It seems that if you have a form variable with dashes in it (not
> underscores) and attempt to run a profile check on it, do_check() parses
> out only that part of the variable name after the final dash. This is
> due to the regexp which parses the profile line in do_check():
>
> elsif ($parameter =~ /(\w+)[\s=]+(.*)/) {
>
> ...since dash is not included in word characters it won't parse out as
> part of the profile name.
>
> Is there any reason why the above line can't be changed to:
>
> elsif ($parameter =~ /([\w-]+)[\s=]+(.*)/) {
>
> ...and should we allow even additional characters?
>
> The reason this is coming up is because I'm adding a profile check for
> recaptchas, and the recaptcha system uses "g-recaptcha-response" for the
> form name.
Hmm. That makes sense, and I'm kind of surprised we haven't run into other
similar situations before, but maybe people have just worked around it by
doing form validation other ways if the form parameters didn't match ^\w+$
instead of worrying about this.
It feels a little risky to mess with this part of the code at all since
there aren't many profile check tests in the test catalog, so I would
suggest we just additionally allow the - character you need, and nothing
more for now.
Jon
--
Jon Jensen
End Point Corporation
https://www.endpoint.com/
More information about the interchange-users
mailing list