This report actually comes from Heine as a result of Allow restricting tracker by node type.
When you go to admin/content/types/add you're told for names:
It is recommended that this name consists only of lowercase letters, numbers, and spaces.
and for types:
It is recommended that this name consists only of lowercase letters, numbers, and underscores.
Yet, I can happily create a content type called "sdsda sd a'' !!@*&(&$*@#&$(#*W( ", and same for name although it ends up as "sdsda sd a& #039;& #039; !!@*&(&$*@#&$(#*W(" The type will catch dashes though (?).
The fact that the text there reads "recommended" leads me to believe that this might be "by design," however at the very least:
1. Characters that could come into play in SQL injection attacks should not be allowed in types.
2. Probably neither should spaces or any other character that can't be part of a PHP function name, as I assume that's why dashes are not allowed.
3. If we want to allow wacky characters in the name (which I could see, for node types like "Mother's Recipe" or something), then they should not be double-escaped.
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | validate-content-type_0.patch | 2.16 KB | chx |
| #1 | validate-content-type.patch | 2.19 KB | webchick |
Comments
Comment #1
webchickThis fixes #1 and #2. #3 is a different bug, so I'll make a separate issue for that.
Comment #2
RobRoy commentedLooks like we don't need that array('%type' => $type->type) in the t() string.
Comment #3
chx commentedAside from that little array RobRoy spotted (and was in the original, redundant as well) this is the same patch and it works well.
Comment #4
dries commentedCommitted to CVS HEAD. Wouldn't say it is critical though. Thanks.
Comment #5
(not verified) commented