You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Alexander Klimetschek (JIRA)" <ji...@apache.org> on 2013/04/01 11:05:16 UTC
[jira] [Comment Edited] (SLING-2803) Create a Validation module
capable of validating POST requests or Resources
[ https://issues.apache.org/jira/browse/SLING-2803?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13618706#comment-13618706 ]
Alexander Klimetschek edited comment on SLING-2803 at 4/1/13 9:03 AM:
----------------------------------------------------------------------
@Radu: You can't put them into the request parameters - that way an attacker could modify them. That's why I mentioned request attributes above - to pass them from some custom servlet (that handles the form / reads the validation configuration from whatever the application has) to the sling post servlet, to which it includes/forwards via the request dispatcher.
@Eric: I don't rule out that certain cases might require a preprocessor, i.e. need to work based on the input vectors such as request parameters before they are applied. I just like the simplicity of validation running purely on the resource / JCR API, on a transient un-saved session. Validation would work in terms of the content structure or data model, not in terms of request attributes. This way the reuse is much larger, you could use the same validation for different servlets (with different request parameter options) or other application parts modifying the JCR. So I'd say let's try this for now and see how far you get with it.
was (Author: alexander.klimetschek):
@Radu: You can't put them into the request parameters - that way an attacker could modify them. That's why I mentioned request attributes above - to pass them from some custom servlet (that handles the form / reads the validation configuration from whatever the application has) to the sling post servlet, to which it includes/forwards via the request dispatcher.
@Eric: I don't rule out that certain cases might require a preprocessor, i.e. need to work based on the input vectors such as request processors before they are applied. I just like the simplicity of validation running purely on the resource / JCR API, on a transient un-saved session. Validation would work in terms of the content structure or data model, not in terms of request attributes. This way the reuse is much larger, you could use the same validation for different servlets (with different request parameter options) or other application parts modifying the JCR. So I'd say let's try this for now and see how far you get with it.
> Create a Validation module capable of validating POST requests or Resources
> ---------------------------------------------------------------------------
>
> Key: SLING-2803
> URL: https://issues.apache.org/jira/browse/SLING-2803
> Project: Sling
> Issue Type: New Feature
> Reporter: Radu Cotescu
>
> Several Sling users have asked in the past [1] about a Validation mechanism in Sling that's able to validate data coming from the user. However, such a module is still missing.
> This issue is meant to track the work progress on such a module.
> Ideally the module should be able to validate both request parameters and Resources, by obtaining their properties via a ValueMap and provide feedback in case of a validation error.
> [1] - http://sling.markmail.org/search/?q=validation
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira