Missing validation for custom field formats based on RecordList
|Assignee:||Jean-Philippe Lang||% Done:|
No validation is performed on input given to custom field formats
(all based on RecordList). While displayed choices are properly restricted, manipulation of the form on the client side allows to send arbitrary record IDs, which will be accepted without further checks.
The attached patch (tested on Redmine 3.4.6) adds a validation function to RecordList.
Missing validation for custom field formats based on RecordList (#29674).
Patch by Alexander Achenbach.
#1 Updated by Takenori TAKAKI 2 months ago
- File 29674_test_added.patch added
I also think that the validation that 'Alexander Achenbach' pointed out should be done.
Actually, by manipulating the form on the client side, it was possible to send arbitrary record ID.
I added a test code to the patch made by 'Alexander Achenbach' and attach it.