HTML forms are prone to the injection of bogus values to multiple-choice select elements, checkboxes as well as other elements that accept array (multiple) values. Failing to remove these values can cause unwanted actions and vulnerabilities in web applications. The XFL parser will automatically remove any submitted values that are not defined in the XFL document. The XFL collection validator can also be used to stop mass posting of values by malicious web users.

Example

XFL Fragment:

Post Data:

colours[0] = 'Cheap Cialis'
colours[1] = 'Generic Viagra'
colours[2] = 'Other Spam'

Submitting the above post data to an XFL form containing the above select element would result in all of the bogus post data being removed. The only values that can be posted to the select element are the ones defined within it: 'blue', 'red' and 'yellow'.