FormAPI and Semantic Forgeries

It would be nice to go into more detail about semantic forgeries in the Form API.

It seems that a hidden value can be changed if the value of that hidden element is set with #default_value
If a user alters a select list or radios or checkbox they get an error - if they alter
A _submit function should only use values from the $form_statue['values'] and not from $_POST and not from $form_state['clicked_button']['#post']

Add new comment

The Book, The Report

Cracking Drupal: A Drop in the Bucket

Written by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal and how to prevent them from continuing.

Get your copy now.

Drupal Security White Paper

Curious about Drupal's security? Consider Drupal but want to make sure it's good enough? Read the Drupal Security Report

Security Review Service

If you are concerned about whether your site is secure, consider using the Security Review Module to get an initial sense. If you're looking for something much more in depth than a module or a book, Growing Venture Solutions offers a Security Review Service for Drupal Sites.

Recent Blog Posts

Mitigation against CVE-2010-1584 Drupal Context Module XSS

Posted by greggles

4 comments
Zerodayscan and Drupal: finding bugs for fame

Posted by greggles

0 comments
Creating a sanitized Drupal database dump

Posted by greggles

8 comments