Forum OpenACS Development: Re: ad_form - Validate as you type using AJAX

Posted by Dave Bauer on
Can this be used to access code/database queries without permissions checks? Since the universal url has to be readble but the public in case unregistered users can submit some form, if a validation did a database query lookup it could expose some data or at least the existance of the data, if not the data itself.

Maybe doing a permission check on the ad_conn url based on the key would be good. I am trying to think if there is a more secure way to manage the key. Probably an sha1 hash with of the key and a server secret could not hurt. This way the url of the key could not be edited.

Overall i like the idea. It piggybacks on the server side validation specification which is the right thing to do.

Sometime in the future i'd like to deprecate ajaxhelper, and have a standard JS library based on Yahoo UI, but since I haven't written that yet, I certainly can't complain. It looks like this will gracefully degrade if you don't have javascript enabled it just does the after submit validation.

Posted by Ryan Gallimore on
Thank you, Dave, for the security insight. I'll add that to my code. I'd also like to add maxlength checking like on form submit.
Posted by Ryan Gallimore on
I've released a new version of the AJAX validator for ad_form - with a permission check as recommended by Dave Bauer, and maxlength validation.

Please see the documentation for more information.

You can try it out here.

Please post any bugs or suggestions.