Am 06.09.2011 11:09, schrieb Ralph Meijer:
On Tue, 2011-09-06 at 09:24 +0200, Alexander Holler wrote:
[..]
I don't see any reason why the user should send a form to the server.
If using a form is wanted, the correct way would be that the user
requests a form for the request from the server, and sends back the
result, which is then processed by the server (resulting in a form for
the moderator).
The described way where the user generates a form only makes sense, if
that form is forwarded to the moderator. But that would result in the
possible problems I've described (e.g. hidden fields and wrong labels).
I don't see how requesting a form from the service first somehow makes
this better. An attacker could simply ignore that form and submit its
own bad one.
Whats the point that the user sends labels?
Where do the user gets the list of required fields from?
Regards,
Alexander
