Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.3.1

Bug #658 basename on action is counterproductive
Submitted: 2004-02-01 04:26 UTC
From: joey at q7 dot com Assigned: danielc
Status: Closed Package: HTML_Form
PHP Version: Irrelevant OS: Linux
Roadmaps: (Not assigned)    
Subscription  


 [2004-02-01 04:26 UTC] joey at q7 dot com
Description: ------------ the action passed to the new() function gets basename()ed when displayed which is irritating and not really very helpful. if i want to make a form that points outside my current directory i can't do it. i haven't experimented with % encoding yet to try and get around it. Reproduce code: --------------- $form = new HTML_Form('http://example.com/doit.cgi'); print $form->returnStart(); Expected result: ---------------- <FORM ACTION="http://example.com/doit.cgi" METHOD="GET"> Actual result: -------------- <FORM ACTION="doit.cgi" METHOD="GET">

Comments

 [2004-02-01 04:32 UTC] joey at q7 dot com
using %2f doesn't help. hand coding the <form> tag will obviously work, but it seems like it would be worth fixing the main code. given the lack of docs for this package i hope that noone relies on that basename call :-).
 [2004-03-06 00:35 UTC] gurugeek
Hello Joey, I spend some time on your bug report. I think that basename is used as a security measure. (Under certain circumstances no basename could represent a security issue) I prepared a patch ( patched source live at http:// php.gurugeek.org/pear/html_form_gg.php ) which basically introduces a new var $basenameSecurity and a private function. In this way the user could set its value to false if desired and enter the full url as per your expected result. An important note: I am not the package lead. I recently asked to be added as helper/developer within HTML_Form and if that is the case, I could apply the patch if approved by the lead. Thanks again for your contribution to PEAR. Regards David Costa
 [2004-03-12 04:34 UTC] joey at q7 dot com
even if there is a possible security problem, this is not data that comes from the user, so i can't see why the code would enforce a basename on it. i am of the camp that trusts the programmer. distrusting the user is ok, but that doesn't seem to apply to this case.
 [2004-05-28 06:20 UTC] danielc
Fixed in CVS.