Hi Till,
Thanks for the response. I'd like to just quote everything and stick it in the database, but ticket 1463946: http://trac.roundcube.net/ticket/1463946
suggests that there is a set of characters that are undesirable to store and may cause difficulty sending mail to users with strange names.
Which puts us in the position of picking and choosing what should go into the database. And then without proper feedback to the user, they have to play a guessing game about what they can and cannot use. So how about something like:
1.) A server side match against a regex like: /^[a-zA-Z _-]*$^/ (I'll bet there's lots more characters people will want in there) 2.) On failure a message below the input box explaining that only such and such characters are allowed. (I'm not sure the transient nature of the existing error message display method is suitable for this task).
What would be icing on top of that cake would be a client side (js) check which would change the color of the input box to a red outline if it has bad characters (or something like that).
Thoughts?
Thanks, Ziba
Webmaster Team University of Michigan
till wrote:
On Wed, Oct 15, 2008 at 5:18 PM, Ziba Scott ziba@umich.edu wrote:
When editing contacts, some invalid characters are not stripped or handled in some way. They make it all the way to the sql statement before things trip up. (Using a prepare statement thankfully prevents injecting a second statement. More details in: http://trac.roundcube.net/ticket/1485504)
I can work on a patch, but I'd appreciate some guidance first:
Should the backend explicitly validate the input against a regular expression? What is valid/invalid? How should the interface report bad characters and/or failed contact saves to the user?
Thanks, Ziba
Webmaster Team University of Michigan
I replied, let me know if this helps. :)
Thanks for all input!
Till
List info: http://lists.roundcube.net/dev/