#DANGEROUS_SKIP_CHECK: the most evil of the Form API properties

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
webchick's picture

Tucked away in form.inc is the little-known #DANGEROUS_SKIP_CHECK property of the Form API. It's so evil that it's not even documented!

What can you use this little nugget of fiendishness for?

One reason might be if you wanted to populate or manipulate the values of a select box using JavaScript (preferably with some <blink> tags involved somehow, for maximum perversion). Upon submitting the form, the Form API, valiantly trying to save you from allowing malicious users to pass in their own data, would inform you that the options passed into the form didn't match what the form gave it, and would inform you that an illegal choice had been made.

Valiant, built-in protection? Feh! Who needs that?

Just slap a '#DANGEROUS_SKIP_CHECK' => TRUE property on your select box, and you're off and running. Of course, if you were some kind of goody-goody who didn't want the hordes of evil users passing in malicious input unfettered, you would probably want to make sure you perform your own validation on this before passing it into the form.

But who needs that? We're evil, after all! ;)

Comments

For extra evil

bonobo's picture

RE: (preferably with some tags involved somehow, for maximum perversion)"
This is the type of functionality that should only be implemented with the Web 2.1 server-side blink.

Is this undocumented

mfredrickson's picture

Is this undocumented property needed with the new, lightly documented #multipart?

still needed

moshe weitzman's picture

thankfully, this evil property is still needed, for those who crave evil. sometimes you add form elements client side and have to let fapi know about those after a POST. so in this case multipart would not be desired (who needs extra page refresh)

so sad - bye #DANGEROUS_SKIP_CHECK

moshe weitzman's picture

I resisted chx greatly at first but he finally convinced me to RTBC the patch which got rid of this evil property. I paid homage to this post in the update docs.

form #post_render use case in Drupal 6

arcane's picture

I am using the form #post-render property to change the options values of a nodereference widget by way of writing an element handler that changes the content of the nodereference options (I change the $content variable but not $element). This seems to trigger the "An illegal choice has been detected. Please contact the site administrator." error described above part of the time. Given that the Skip Dangerous check has been removed from D6, can anyone suggest a work around. I did not understand http://drupal.org/node/182310 since this is not having anything to do with Javascript.

Possible Solution

cwebster's picture

I know this is an extremely late response, but maybe this will help someone out there. Not sure if this is exactly a "standard" solution, but my post at the end of this thread might be a workable solution: http://drupal.org/node/339730#comment-2871966 .

Works in #post_render

arcane's picture

This works in #post_render, and also #pre_render, the error I was getting regarding an illegal choice was found to be unrelated. See http://drupal.org/node/339730 for an explanation.

Just how unsafe is #DANGEROUS_SKIP_CHECK

ngmaloney's picture

I know this thread is a little old, but the info is really useful. Is the #DANGEROUS_SKIP_CHECK really that dangerous if one made sure to run the submitted values through their own validation routine?

I'm using this attribute to validate some dynamically generated form selects. The validation limits the allowed values so wouldn't this mitigate the risk to the same level as the default validation?

Drupal for Evil

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week