What should CGI::Untaint do with parameters with values of empty strings?

[prev] [thread] [next] [Date index for 2005/07/07]

What should CGI::Untaint do with parameters with values of empty strings? 

I had thought this was a "No parameter for field" error.   But actually  I was
misunderstanding this error.  Actually this error seems to be intended for
cases when  the $field you are trying to untaint does not exist in the
parameter hash. Not for when the user did not enter input for the field.  And
this is an important difference.  I was confusing parameter values with
parameters or thinking they could be one and the same in this case. 

So back to the question.  Before 1.24 it returned the '' (and all false values)
without validating.  Now it passes it to the untaint handlers.  Most  give an
error for an empty string and this error messes up FromCGI for non required
fields.  

Possibilities i see are:

1) Let CGI::Untaint return '' if that is a parameters value. (I thought someone
tried this and had a problem but don't see it now)  Then FromCGI can go on
working happy as it was.  This also seems pretty logical as what is the point
in untainting or validating non input.  Also it is easy to handle at a higher
level. However, it seems there should be sometype of notice like "Hey the user
did not put anything in this input field." bit it is not necessarily necessary
i  guess.

2) What it does now -- pass them to the  Untaint::* handlers and let them and
and/or FromCGI deal with it better.

3) Return nothing and set a "No value for " error. 

4) Return '' and set a "No value error". 




--- Tony Bowden via RT <comment-CGI-Untaint@xx.xxxx.xxx> wrote:

> Full context and any attached attachments can be found at:
> <URL: http://rt.cpan.org/NoAuth/Bug.html?id=13501 >
> 
> On Fri, Jul 01, 2005 at 12:46:32PM -0400, Guest via RT wrote:
> > Empty inputs on forms is a case of "No parameter for" that field.
> > CGI programs (at least my modperl maypole ones) recieve '', empty strings,
> > as values for empty fields on forms in their prameter hashes. As the test
> > below demonstrates CGI::Untaint does not treat empty strings as a case of
> > "No parameter for" that field.  Repercussions of this have been overly
> > discussed without much closure on mailing lists. Attached is a patch.
> 
> I am yet to be convinced that this is a bug.
> 
> > my $data = {
> >     name  => "Bart Simpson",
> >     grade => '',             # Forms return empty string for empty inputs
> >     age   => '',
> >     count => undef,
> > };
> >     ok !defined(my $res = $h->extract("-as_printable" => 'grade')),
> >         "Extract '' as printable returns undef";
> 
> This would not be correct behaviour. An empty string here is a valid
> printable string.
> 
> Tony
> 
> 


pjs

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com