Open modxbot opened 13 years ago
splittingred submitted:
You mean for MODX manager forms? Or for forms used by an Extra, such as FormIt?
everettg_99 submitted:
More like forms for Extras. What I was thinking of is exposing an API method for generating and checking nonces used to secure forms. It's the type of thing that Snippet/CMP developers could tap into without having to develop their own security checks.
E.g. a WordPress form might be something like this:
And then when I submit that form, I can check the value of it to ensure its authenticity:
if (! wp_verify_nonce('my_nonce') ) { // Die with error } // Proceed with form handling
Even if this is something that MODx does auto-magically, the way a developer might think about constructing his own secure forms lends matches up pretty nicely with functions like this.
splittingred submitted:
Going to move this to Revo project as a feature request; it's a good one.
splittingred submitted:
Moving as a feature request for a nonce-method.
everettg_99 submitted:
See also http://fullthrottledevelopment.com/php-nonce-library
everettg_99 created Redmine issue ID 3959
This is kinda throwing a bone to all WordPress users, but it'd be a leg-up security-wise to automatically generate a NONCE for all MODx generated forms, similar to wp_nonce.
As a cross-comparison, check out WordPress' functions:
As a developer, I can rant for hours at how immature and awkward the WordPress functions are, but I can also tell you that they are easy to use. Something comparable for MODx would be welcome.