Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Interchange>
  3. users
Form variable names with dashes don't work with profile checks
peter at pajamian
May 26, 2016, 11:02 PM
Post #1 of 5 (1270 views)
Permalink
It seems that if you have a form variable with dashes in it (not
underscores) and attempt to run a profile check on it, do_check() parses
out only that part of the variable name after the final dash. This is
due to the regexp which parses the profile line in do_check():

elsif ($parameter =~ /(\w+)[\s=]+(.*)/) {

...since dash is not included in word characters it won't parse out as
part of the profile name.

Is there any reason why the above line can't be changed to:

elsif ($parameter =~ /([\w-]+)[\s=]+(.*)/) {

...and should we allow even additional characters?

The reason this is coming up is because I'm adding a profile check for
recaptchas, and the recaptcha system uses "g-recaptcha-response" for the
form name.


Peter

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Re: Form variable names with dashes don't work with profile checks [ In reply to ]
jon at endpoint
May 27, 2016, 8:05 AM
Post #2 of 5 (1248 views)
Permalink
On Fri, 27 May 2016, Peter wrote:

> It seems that if you have a form variable with dashes in it (not
> underscores) and attempt to run a profile check on it, do_check() parses
> out only that part of the variable name after the final dash. This is
> due to the regexp which parses the profile line in do_check():
>
> elsif ($parameter =~ /(\w+)[\s=]+(.*)/) {
>
> ...since dash is not included in word characters it won't parse out as
> part of the profile name.
>
> Is there any reason why the above line can't be changed to:
>
> elsif ($parameter =~ /([\w-]+)[\s=]+(.*)/) {
>
> ...and should we allow even additional characters?
>
> The reason this is coming up is because I'm adding a profile check for
> recaptchas, and the recaptcha system uses "g-recaptcha-response" for the
> form name.

Hmm. That makes sense, and I'm kind of surprised we haven't run into other
similar situations before, but maybe people have just worked around it by
doing form validation other ways if the form parameters didn't match ^\w+$
instead of worrying about this.

It feels a little risky to mess with this part of the code at all since
there aren't many profile check tests in the test catalog, so I would
suggest we just additionally allow the - character you need, and nothing
more for now.

Jon


--
Jon Jensen
End Point Corporation
https://www.endpoint.com/

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Re: Form variable names with dashes don't work with profile checks [ In reply to ]
mike at heins
May 27, 2016, 8:16 AM
Post #3 of 5 (1247 views)
Permalink
Quoting Jon Jensen (jon@endpoint.com):
> On Fri, 27 May 2016, Peter wrote:
>
> >It seems that if you have a form variable with dashes in it (not
> >underscores) and attempt to run a profile check on it, do_check() parses
> >out only that part of the variable name after the final dash. This is
> >due to the regexp which parses the profile line in do_check():
> >
> > elsif ($parameter =~ /(\w+)[\s=]+(.*)/) {
> >
> >...since dash is not included in word characters it won't parse out as
> >part of the profile name.
> >
> >Is there any reason why the above line can't be changed to:
> >
> > elsif ($parameter =~ /([\w-]+)[\s=]+(.*)/) {
> >
> >...and should we allow even additional characters?
> >
> >The reason this is coming up is because I'm adding a profile check for
> >recaptchas, and the recaptcha system uses "g-recaptcha-response" for the
> >form name.
>
> Hmm. That makes sense, and I'm kind of surprised we haven't run into
> other similar situations before, but maybe people have just worked
> around it by doing form validation other ways if the form parameters
> didn't match ^\w+$ instead of worrying about this.
>
> It feels a little risky to mess with this part of the code at all
> since there aren't many profile check tests in the test catalog, so
> I would suggest we just additionally allow the - character you need,
> and nothing more for now.

We could also make it a regex pattern that can be changed via a variable or
directive.

--
Mike Heins
End Point -- Expert Internet Consulting http://www.endpoint.com/
phone +1.765.253.4194 <mikeh@endpoint.com>

Growth is the only evidence of life. -- John Henry Newman

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Re: Form variable names with dashes don't work with profile checks [ In reply to ]
mikeh at endpoint
May 27, 2016, 8:39 AM
Post #4 of 5 (1246 views)
Permalink
Quoting Mike Heins (mike@heins.com):
> Quoting Jon Jensen (jon@endpoint.com):
> > On Fri, 27 May 2016, Peter wrote:
> >
> > >It seems that if you have a form variable with dashes in it (not
> > >underscores) and attempt to run a profile check on it, do_check() parses
> > >out only that part of the variable name after the final dash. This is
> > >due to the regexp which parses the profile line in do_check():
> > >
> > > elsif ($parameter =~ /(\w+)[\s=]+(.*)/) {
> > >
> > >...since dash is not included in word characters it won't parse out as
> > >part of the profile name.
> > >
> > >Is there any reason why the above line can't be changed to:
> > >
> > > elsif ($parameter =~ /([\w-]+)[\s=]+(.*)/) {
> > >
> > >...and should we allow even additional characters?
> > >
> > >The reason this is coming up is because I'm adding a profile check for
> > >recaptchas, and the recaptcha system uses "g-recaptcha-response" for the
> > >form name.
> >
> > Hmm. That makes sense, and I'm kind of surprised we haven't run into
> > other similar situations before, but maybe people have just worked
> > around it by doing form validation other ways if the form parameters
> > didn't match ^\w+$ instead of worrying about this.
> >
> > It feels a little risky to mess with this part of the code at all
> > since there aren't many profile check tests in the test catalog, so
> > I would suggest we just additionally allow the - character you need,
> > and nothing more for now.
>
> We could also make it a regex pattern that can be changed via a variable or
> directive.

Proposed change pushed. Tested inline in module, not in real world, but
should be safe.

--
Mike Heins
End Point -- Expert Internet Consulting http://www.endpoint.com/
phone +1.765.253.4194 <mikeh@endpoint.com>

An amateur practices until he gets it right. A pro
practices until he can't get it wrong. -- unknown

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Re: Form variable names with dashes don't work with profile checks [ In reply to ]
peter at pajamian
May 27, 2016, 5:48 PM
Post #5 of 5 (1247 views)
Permalink
On 28/05/16 03:39, Mike Heins wrote:
>>> I would suggest we just additionally allow the - character you need,
>>> and nothing more for now.
>>
>> We could also make it a regex pattern that can be changed via a variable or
>> directive.
>
> Proposed change pushed. Tested inline in module, not in real world, but
> should be safe.

I like that solution, thanks.


Peter

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal