I'd like to be able to use the validation API without allowing anybody to add PHP code through the UI. I consider this a security problem. It would be nice if you could follow core and put this functionality (which some people still will like) into an optional sub-.module (similar to php.module in core).

Comments

killes@www.drop.org’s picture

killes@www.drop.org commented

Also, you should make sure that people cannot use the /e modifier for regexps if the php-submodule is not enabled.

TapocoL’s picture

TapocoL commented

Separating the PHP functionality out of the module would have been a lot of work. So, for the first release I decided to just create permissions for inputting PHP validators. Also, they will not be allowed to use /e regex modifier if they are not permitted to input PHP validators.

I may be interested in separating the php functionality into a separate module for 2.0, so I will keep this issue active for now.