At the Drupal Summit, chx & eaton let me know that avoiding the FormAPI security by directly accessing $_POST was a bad idea. So I dropped the slide out of my presentation that talked about how to create dynamic subforms, and spend the last two weeks hacking like mad. I now have an approach that I believe combines convience and security. It is packaged up in Ahah Forms v1.5 as the dynamic_subform.module. It uses the same basic algorithm as drupal_get_form when #multistep is true (but is incompatible with #multistep, so don't try to use both of them).
I have a full write up at: Secure Dynamic Forms and Subforms, but here is an example of the functions in use:
<?php
function poll_form($node) {
...set up the static form elements and the wrapper...
// actually build the widget and put it in the wrapper
$form['choices'] += dynamic_subform_get_embedded( 'poll_node_form', 'poll_choices_subform', $node );
...add in more static form elements...
}
// called by ahah_forms.js to swap out the subform
function _poll_update_js() {
$choices = dynamic_subform_get_prepped( 'poll_node_form', 'poll_choices_subform', null );
print theme('status_messages') . drupal_render($choices);
}
?>This approach works with or without Javascript enabled. I have done a chunk of testing with different attack models, but I would love to get some contributions of more tests and attacks to run against it.
I strongly recommend that anyone who is using my Ahah work upgrade to the latest release (1.5-3 at the moment). I built a simple example of a dynamic list for other developers to use as a starting point. Check out the todos.module, in the examples/todos directory, for my recommendation of best practices.
And if anyone is using the framework to build cool stuff, I would love to here about it.
Comments
Once again, This is very
Once again,
This is very nice, and I'm really glad to see your steady progress, especially with regards to sanitizing _POST variables... Also, nice work on the no js degradation...
Thanks for your time that you've put toward this effort, it is definitely going to add (significantly) to drupal usability and reputation.
++ ... I can't wait to block
++ ... I can't wait to block out some time to take a good look at this.
subform_element
interesting.. you might have a look at my subform_element module, which also inserts a subform in another form - but it has nothing to do with ajax. It just works like a normal form element (except from form submit, which one just has to invoke on form submit) - so perhaps it could be already combined with your framework?
I saw your Views_ui.module
I saw your Views_ui.module demo at the OSCMS, and so I replaced the views_ui.module with your views_ui.module-example.
Works great.
I also wanted to dig beneath how you were doing your UI as the form updated, and so I published my notes and graphics here:
http://docs.google.com/Doc?id=dczgjp36_48ctkpt3
Dynamic subforms for cck widgets?
Hi all,
This module works perfectly for regular forms, but things are a lot harder for widgets: you don't have a hook_form but a hook_widget with $op == "form". I tried creating a separate _form function for this, but the hard part is that the $items variable also needs to be passed. Does anyone have any hints on how to get this working for multiple value widgets?
d6
widgets are basically going away in the D6 version of CCK. Perhaps this will become a non issue. See http://drupal.org/node/157176