5.5. The Form API
The Form API provides several benefits to developers. This chapter looks at its semantic protection, the places where it filters user content and some of the points where it doesn't filter content and developers must do that filtering themselves. If you are used to creating forms manually, you may initially think the Form API requires a lot of work in order to do something that used to be simple. However, when you consider all the added benefits it provides—CSRF protection, semantic validation, extensibility—it suddenly seems like very little work for the benefit provided.
5.5.1. Semantic Protection: Invalid Form Data
One common mistake among new web developers is to assume that a site visitor will only submit the HTML forms as they are presented to the user. However, a malicious visitor could save the file to local HTML, edit it to add the option she wants, load the local file into her browser, and submit the new form back to your site. That's a bit of work, so there are special tools such as local proxies and browser plug-ins such as the Firefox Tamper Data extension that make it quite easy for a site visitor to submit any form data that she desires.
Tamper Data Extension to FirefoxThe Firefox browser provides an add-on capability much like Drupal's modules. One great tool for testing the security of a web application is the Tamper Data add-on, which is available from https://addons.mozilla.org/firefox/addon/966. |
Drupal's Form API ensures that the form ...
Get Cracking Drupal®: A Drop in the Bucket now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
