Hi Yury,

Yes, it's true that malicious (or inquisitive) users can turn off all of SF's validation. SF's main validation is Javascript-based, and as far as I know that one can be shut off by users just as easily as the HTML changes you mentioned. I've made no effort to try to make SF more secure in that regard, for two related reasons:

- unless there's some custom coding done, users will always be able to go to "action=edit" and modify the page directly, however they want.

- more generally, it's a wiki: the default approach is to let everyone edit any page however they want. When malicious edits are made, they're easy to spot and revert, and the user who made the edit can then be blocked.

And there's a third reason, which is that these kinds of "clever" malicious edits are, from my experience, extremely rare: vandalism tends to be done by users who are idiots and/or spammers.

Any thoughts on that?


On Tue, Oct 30, 2012 at 11:34 AM, Yury Katkov <katkov.juriy@gmail.com> wrote:
Hi Yaron and everyone!

We experimented a bit with Semantic Forms and found that the forms do
not validate the correctness of the values for 'values from category'.
Here is an example: I define a form with the field

{{field|nameofthefield|values from category=Mycategory|input type=dropdown}}

My intuition is that it's impossible to enter the value that is not
listed in a dropdown, so I want to rely on some validation mechanism
of SF.
It's not so, unfortunately.

Using Firebug or Chrome Developer (see [1]) I can alter any <option>
in a dropdown and send the data that is not allowed (see [2]).

Yaron, is the enhanced secuirity and validation of Forms currently in
the roadmap? IMHO it's a serious issue for those who use semantic
forms to really restrict the editing of the pages.

[1] http://i.imm.io/Jdm3.png
[2] http://i.imgur.com/WkPpG.png
Yury Katkov, WikiVote

WikiWorks MediaWiki Consulting http://wikiworks.com