Symfony2 validation filters - validation

In my Symfony 2 application I need to filter input before passing it on to validation [1], however, I can't seem to find any system within Symfony to do this.
The type of filtering I looking for is e.g. to be able to filter a dash out of a specific field before validating it. E.g. users can enter 123-123 but the only accepted value is 123123. Just as I can set up validation rules with constraints, I'm looking for something similar for filters.
[1] http://symfony.com/doc/current/book/validation.html

Nifr's answer is good but is missing of an important alternative that, if I understand correctly your question, seems to fit perfectly your needs.
You can use a hook that is pretty much an event listener: if something happens or is going to happen, it intercepts the event and redirect it to your function.
In this case, you need a PRE_BIND hook (is deprecated since 2.3 version, now it's called PRE_SUBMIT)
Read this if you need help about

Either write your own Validation Assert to filter and then proxy the other validators for this purpose ...
... or one or multiple Regex Asserts.
... or use a DataTransformer to transform/filter the input.
With the DataTransformer involved you could aswell consider creating a new FieldType which renders two inputs with a seperator like the date form-field does. ( if not not used with widget => single_text )

Related

Scala Play form mapping and validation

I'm creating some system, that can accept different incoming JSONs with ~40 fields inside. But as you may know, Play form mapping, can accept up to 18 field maximum.
So I thought it could be a good idea to split these incoming fields in to groups. For example Group1, Group2.. Group8. So I would accept only 8 parameters inside each group and these groups will have their own form mappings (where all fields are optional).
It was ok, until I came to the point: for some form mappings (for case classes) these fields must be mandatory.
For example, FormMapping1 must have Group1.field1, if not - form should give an validation error. But FormMapping2 can ignore Group1.field1, but Group2.field2 is mandatory for it.
But how should I create Group1 form mapping then?
As Forms do convert JSONs to objects, it's hard for me to imagine, how can I even do this validation. I mean, my case classes should have different constructor for each case I'm having mandatory field?
I hope I've described the situation well.
Would be great to hear from you some strategies of dealing with such issues. As I suppose my strategy isn't the best.
Thanks in advance!
P.S. currently I'm thinking about move away from Play Form validation to other.

How to disable “the error the value ‘abc’ is not valid for IntegerProperty”

I hope someone can help me out to disable the default validation that MVC 3 runs when I post a string value in an integer field. Currently the application will add the error “the value ‘abc’ is not valid for IntergerProperty” to the ModelState before our validators are executed.
We don’t use client side validation and have our own validators that are loaded in the Global.asax. We only want to use these validators to check the input and would like to disable this check.
Is it possible to disable this behavior?
Thanks in advanced,
André
I think the best solution for your issue is to implement a custom model binder to override the default behavior if you really want/need to be able to take alpha chars in a numeric field.

How to force Wicket "onchange" AJAX events to be triggered if fields fail validation conditions

The specific case I've got in mind is as follows: an AjaxFormComponentUpdatingBehavior("onchange") is added to a TextField in a form. The behavior verifies the text for certain conditions (either the model object or the form component model, doesn't matter), based on which it might display a message (or hide it, if it has already been shown).
The problem is, there are also validators added to the TextField. One of the possible (and likely) scenarios consists of the user typing in, first, a value that causes the message to be displayed by the AJAX request. If, then, he/she types in a value that doesn't pass validation, the message should disappear, but it does not.
Apparently, either the onUpdate() method for the AJAX behavior is not called at all, or I am failing in my attempts to insert a check for non-validated entries (I have tried to test for both null values and empty strings, to no avail; I have no idea what exactly Wicket's validators do to models when data is invalid).
I am wondering if someone who actually understands validators (or AJAX, actually) has any ideas on where the problem could be.
I can post edit and post code if someone tells me this is not a general issue tying validators and AJAX, but most likely a programming mistake. I still believe the former and thus I'll refrain from posting code sections, in order to keep the discussion on an API/theoretical frame.
Thanks.
When using an AjaxFormComponentUpdatingBehavior, if any of the IValidators fail their validation, onError() will be called instead of onUpdate(). Wicket will effectively prevent invalid user input from reaching the IModels in your components, so the component's ModelObject will not be changed at all. The invalid input will probably remain available by means of getInput()/getConvertedInput() (not sure if it will in an AJAX scenario, it sure is in a traditional form submission).
However, take into account that IFormValidators are not executed when using this mechanism. If you've got any, you might be interested in overriding getUpdateModel() so that AjaxFormComponentUpdatingBehavior will not bring maybe-invalid user input into your IModels, and set modelobjects manually when you're certain user input is valid.
Regarding your specific case, you could perform all the required logic in onError() (or rely on Models that will grab data from somewhere else), and just add the components that need refreshing to the AjaxRequestTarget. This is probably what's missing in your scenario.

How do you validate an archetype field that is not required, but if you give it, you should validate?

Products.validation has some validators (like regex) that I would like to use in some non required fields.
So, the use case is: The validation is required, but only if the field is not empty.
How do you do it? I know I can create a custom validator, check the REQUEST and do all the magic, but this seens wrong to me: I should avoid creating custom code since I should just register the RegexValidators from Products.validation and use it. I tried to understand V_SUFFICIENT and register a regex validator using it, but isn't applicable to my situation.
I couldn't find anything on the internet, on mailing lists, on nabble, etc. So, how do you validate your fields that aren't required, but if the user provides something, you then need to validate?
I need this in a Plone 3.3.5 instance.
You can use required = False and your desired validators:
http://plone.org/documentation/manual/developer-manual/archetypes/fields/fields-reference#common-field-attributes

Why doesn't CodeIgniter's XSS filter clean all?

Why does CodeIgniter's XSS filter only react through regular expressions on specific things instead of sanitizing all input in the first place regardless if the content is tainted or not? Also, why is this done during input and not on output (like it's supposed to be?)
Why does CodeIgniter's XSS filter only react through regular expressions on specific things instead of sanitizing all input in the first place regardless if the content is tainted or not?
This doesn't make much sense. How are we to tell whether or not something is "tainted" without checking it first?
By the definition of CI's xss_clean(), we don't always want to sanitize input. As you mentioned, it's the output that matters - and that's where we need to be mindful of XSS atacks. If we always "sanitize" input with CI's xss_clean(), then how would I, for one example, be able to post javascript or PHP code examples on my blog, or let users do it in the comments? It would end up getting [removed].
Also, why is this done during input and not on output (like it's supposed to be?)
You do have the option to enable the global xss filter in your CI config, which will run xss_clean() on $_POST, $_GET, and $_COOKIE data automatically before you can get your hands on it. This is the lowest level possible to protect you from yourself, bu the option is always available to instead clean the data explicitly. For example:
// With the Input class on $_POST data
$this->input->post('username', TRUE); // Second parameter runs xss_clean
// Using the Security class on any data
$this->security->xss_clean($username);
// Using the Form Validation class to automatically clean the input
$this->form_validation->set_rules('username', '', 'xss_clean');
Since you could still simply use $_POST['username'] instead, by enabling the global filter it will already be xss_cleaned for you. This is the lazy way to do it, and unfortunately once those globals are cleaned, there's no way to undo it.
If you are already aware of when and where XSS attacks can happen - you have the function easily available to use if you wish. Keep in mind that this does not magically make all data "safe", it merely prevents some of the more malicious code injection. Something more harmless like </div> will get past this filter. You should always be sanitizing input explicitly in an appropriate way for the context in which it is used.

Resources