CyberFabrik
New Member
Hello guys,
been playing with Fabrik and some public web forms (simple contact us form). I was trying to break Fabrik when i realised that the users are freely allowed to enter any HTML or PHP code which actually passes through and gets stored in the database. So i guess when displaying tables with the recorded data this code could essentially be activated.
I would have thought that entering HTML code or any other form of code in the text fields should not be allowed in the first place by default. Am I right to assume that allowing PHP code to be entered would be a good recipe for injection vulnerabilities?
Of course, to be honest, I know that Fabrik is simply the means to creating Forms and should not really be expected to do the work of a web developer. However, since Fabrik (and especially Fabrik 2.0) seems to follow Joomla development i would think that it would be nice to have by default built-in input escaping and filtering simply by copying the series of code checks and validations that the Joomla boys do (and maybe have an extra field option in admin area to allow code entries as per element).
In general what custom validation rules do you guys use for your forms (especially the public ones)? It seems to me that the 3 (not empty, email, isalphanumeric) validation rules are far from enough for building robust forms.
Please correct me if i am wrong !
Many thanks.
been playing with Fabrik and some public web forms (simple contact us form). I was trying to break Fabrik when i realised that the users are freely allowed to enter any HTML or PHP code which actually passes through and gets stored in the database. So i guess when displaying tables with the recorded data this code could essentially be activated.
I would have thought that entering HTML code or any other form of code in the text fields should not be allowed in the first place by default. Am I right to assume that allowing PHP code to be entered would be a good recipe for injection vulnerabilities?
Of course, to be honest, I know that Fabrik is simply the means to creating Forms and should not really be expected to do the work of a web developer. However, since Fabrik (and especially Fabrik 2.0) seems to follow Joomla development i would think that it would be nice to have by default built-in input escaping and filtering simply by copying the series of code checks and validations that the Joomla boys do (and maybe have an extra field option in admin area to allow code entries as per element).
In general what custom validation rules do you guys use for your forms (especially the public ones)? It seems to me that the 3 (not empty, email, isalphanumeric) validation rules are far from enough for building robust forms.
Please correct me if i am wrong !
Many thanks.