-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat/force validation #603
base: improve/variantCreationForm
Are you sure you want to change the base?
Conversation
If values are empty after a successful call to VariantValidator, the onChange of these fields was originally removed to stop changes to these fields resulting in a complete reset. However, the complete reset has been removed with this branch, so the onChanges can be kept.
The original message was outdated since the onChange of the empty fields are no longer deactivated.
We now add checks to find out if all expected $_REQUEST variables were really set. If not, we will exit the script or set the values as empty.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some changes are needed, I also found one XSS vulnerability that needs to be fixed.
// This field's variant was not fully validated! It should | ||
// not be sent to the database. Let's add an error. | ||
lovd_errorAdd($sField, | ||
'The variant ' . $sVariant . ' did not pass our checks. Please take another look and try again.' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The variable $sVariant
isn't cleaned here, so shouldn't be sent out to the browser without cleaning (XSS vulnerability).
From now on, we always remove the reference sequence from the variant that is saved in the $_SESSION['VV']['validated_variants'] array. Note that we then also need to ensure that reference sequences are not kept within the DNA fields!
In this branch, the
$_SESSION['VV']['validated_variants']
array is added and used to store all validated variants from the submission dialogue. This array is then used incheckFields()
atPOST
to ensure that all variants in the submission form were indeed validated.Related to #588