http://qs321.pair.com?node_id=661086

This is spawned from looking into problem loggin into pm .. It appears that the problem there was that a field value was too long -- the browser respects the http attribute maxlength=8, and so truncates the value before posting. But when trying to submit the form directly w/WWW::Mechanize, it doesn't know to truncate, and sends the full string, and authentication must fail because server compares against the 8-character password.

So i started poking at WWW::Mechanize and HTML::Form to see where logic could be added to truncate values if the input field has a maxlength, and came up w/two potential spots:

(A) In HTML::Form::TextInput::value() (it's defined in HTML/Form.pm), change $self->{value} = shift; to:
my $v = shift; my $n = exists $self->{maxlength} ? $self->{maxlength} : undef; $self->{value} = $n ? substr($v,0,$n) : $v;

(B) In WWW/Mechanize.pm, add logic in the field() and set_fields() methods to do the same thing, where $n = $form->find_input(...)->{maxlength}. Would have to do something to the $form->value($name => $value); calls, too.

While (B) limits it to this specific case, it's a much messier implementation, and breaks encapsulation.

Thoughts/comments?
(A) vs (B)?
Or (C) of neither, and user constructing the post should know the limits/restrictions?
Also, should (probably yes?) either solution be conditional on some option/config setting so as to leave default behavior alone?

Replies are listed 'Best First'.
Re: RFC: Where to patch to enforce maxlength in Mech?
by Fletch (Bishop) on Jan 08, 2008 at 16:03 UTC

    I'd go for making it optional and/or easily turned off as I could see applications where one would want to be able to misbehave (e.g. penetration testing, sending intentionally malformed/oversized input to check that the receiver is well behaved)

    The cake is a lie.
    The cake is a lie.
    The cake is a lie.

Re: RFC: Where to patch to enforce maxlength in Mech?
by perrin (Chancellor) on Jan 08, 2008 at 16:34 UTC
    It belongs in HTML::Form, where the enforcement of hidden fields is. However, it must be optional. The hacky way of turning off the hidden field behavior of HTML::Form is the most irritating thing about Mechanize.
      I thought about it some more and just went w/a patch that adds a warning. That would help at least identify times when this is quietly causing a problem (like the post that started this) and is a nice easy, straight-forward, non-intrusive patch. Patch: http://rt.cpan.org//Ticket/Display.html?id=32239