[Html-widget] when to run filters. WAS: file uploads and element_type combined patch

[John Napiorkowski]

--- Carl Franks <fireartist at gmail.com> wrote:

> I'm wondering if the current behaviour of filters is
> wrong.
> 
> Currently, if a submitted form contains errors, and
> you send it back
> to the user with $result->as_xml(), the form field
> values contain the
> user's input /after/ the filters have been run.
> 
> This is very likely the wrong behaviour, when
> filters such as
> HTMLEscape are taken into account.
> I think that the raw user input should be sent back
> in $result->as_xml(),
> and the output of the filters should only be
> accessible through
> $result->param() or $resul->params().
> 
> This would also have the side effect that we
> wouldn't have to worry
> about filters causing fatal errors during
> $widget->process(), as the
> filters wouldn't have to be run until the first call
> of
> $result->param() or params().
> 
> We could also provide a $result->run_filters()
> method, which you could
> call yourself so that you can handle any possible
> errors, if you
> anticipate your filters causing any.

My case example of using a filter to validate an image
file and then normalize it's size and type would agree
with your accessment.    To be honest I am starting to
wonder if I shouldn't just yank all that from the form
and put it into an interface class for my database
model.

What other things are people doing with filters other
than to normalize the content and clean up input
against cross site scripting/html injection type
attacks?

--john

> 
> Any opinions?
> 
> Carl
> 
> _______________________________________________
> Html-widget mailing list
> Html-widget at lists.rawmode.org
>
http://lists.rawmode.org/cgi-bin/mailman/listinfo/html-widget
> 



 
____________________________________________________________________________________
Want to start your own business?
Learn how on Yahoo! Small Business.
http://smallbusiness.yahoo.com/r-index