Skip Menu |

This queue is for tickets about the Params-Validate CPAN distribution.

Report information
The Basics
Id: 4913
Status: resolved
Priority: 0/
Queue: Params-Validate
People
Owner: Nobody in particular
Requestors: sabol [...] alderaan.gsfc.nasa.gov
Cc:
AdminCc:
Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: 0.73

History Show all quoted text
  Mon Jan 12 02:23:07 2004 Guest - Ticket created
Subject: add option to untaint?
I think it would be *very* convenient if Params::Validate could (optionally) untaint parameters. I envision an optional 'untaint' key in the validation spec for each argument in which untainting is desired. Possible values for this key could be a regex (with appropriate parentheses such that the value could be replaced with $1) or a supplied code reference. Untainting should occur only after the parameter passes all other validation requirements. Here's an example of usage: my %args = validate( @_, foo => { type => SCALAR, untaint => sub { my $handler = CGI::Untaint->new({ url => $_[0] }); return $handler->extract(-as_url => 'url'); }, bar => { type => SCALAR, regex => qr/^\d+$/, callbacks => { # ... and smaller than 90 'less than 90' => sub { shift() < 90 }, }, untaint => qr/^(\d+)$/, } } ); Web developers that use Params::Validate currently have to untaint all parameters after validation. It would be great if Params::Validate could subsume this task, especially since parameter validation and untainting are very much related. While adding this capability to Params::Validate would put it in competition with CGI::Untaint to some degree, they could also complement each other, as seen in the above example with the code reference. In the simpler cases of regex validation, untainting with Params::Validate would be vastly easier than implementing the same thing in CGI::Untaint, but CGI::Untaint would still be useful for more complex things like e-mail and URL address untainting, for example.
  Wed Jan 14 00:19:26 2004 autarch [...] urth.org - Correspondence added
Date: Tue, 13 Jan 2004 23:19:19 -0600 (CST)
From: Dave Rolsky <autarch [...] urth.org>
To: Guest via RT <bug-Params-Validate [...] rt.cpan.org>
Subject: Re: [cpan #4913] add option to untaint?
RT-Send-Cc:
On Mon, 12 Jan 2004, Guest via RT wrote: Show quoted text
> I think it would be *very* convenient if Params::Validate could > (optionally) untaint parameters. I envision an optional 'untaint' key in > the validation spec for each argument in which untainting is desired. > Possible values for this key could be a regex (with appropriate > parentheses such that the value could be replaced with $1) or a supplied > code reference. Untainting should occur only after the parameter passes > all other validation requirements. Here's an example of usage: > > my %args = > validate( @_, > foo => > { type => SCALAR, > untaint => sub { > my $handler = CGI::Untaint->new({ url => $_[0] }); > return $handler->extract(-as_url => 'url'); > },
Why would untaint be a callback? Shouldn't it just be a boolean. Verifying that foo is a URL can already be done via a regular callback parameter. Show quoted text
> { type => SCALAR, > regex => qr/^\d+$/, > callbacks => > { # ... and smaller than 90 > 'less than 90' => sub { shift() < 90 }, > }, > untaint => qr/^(\d+)$/, > }
Again, why would the untaint parameter duplicate the existing regex functionality? -dave /*======================= House Absolute Consulting www.houseabsolute.com =======================*/
  Sun Apr 04 11:17:40 2004 DROLSKY [...] cpan.org - Fixed in 0.73 added
  Sun Apr 04 11:17:40 2004 DROLSKY [...] cpan.org - Status changed from 'new' to 'resolved'