Users can bypass field requirements and format restrictions when submitting ads
Here is how you can reproduce this bug, still present in CP 3.3.3 although it was reported prior to the release of 3.3.
1 (
here).
Go to a ClassiPress site. You can use the AppThemes demo site to witness the bug, although they don't allow posting of actual ads so you won't be able to do the final step.
1. Start creating a new ad. Select a category (e.g. Auto > Boats > Sail boats).
2. Notice “Title”, “Price”, “State” , “City”, and “Description” are required (the fields have asterisks).
3. Fill out all of those fields except for “Price” (leave that one blank).
4. Use a live HTML inspector (e.g. in FireFox, right-click the “Price” field and press “Q”; or use Firebug) to remove the “required” class from the “cp_price” <input> element. See screenshot below:
edit-html.png
5. Click the “Continue” button to submit the form.
6. Notice
the “Price” field is empty in the “Review Your Listing” page (see screenshot below). Whatever server-side validation was done to the field
didn’t catch it.
review-listing.png
Final Step:
Since the ClassiPress demo site won’t allow visitors to post ads, I performed the above steps on another ClassiPress-based site I found online. I was able to post an ad without a required price.
ad-without-price.png
Another way to say this: AppThemes is relying on CLIENT-SIDE validation instead of SERVER-SIDE validation before inserting data into the database.
Users can circumvent our custom field rules using the steps above.
Last edited by almightyeric; May 11th, 2014 at 12:20 AM.
Reason: add introductory sentence