Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 3.2.16

Bug #4463 select, hiddenselect and hierselect produce non valid html code
Submitted: 2005-05-28 15:50 UTC
From: pear at felixdd dot de Assigned: avb
Status: Closed Package: HTML_QuickForm
PHP Version: Irrelevant OS:
Roadmaps: (Not assigned)    
Subscription  


 [2005-05-28 15:50 UTC] pear at felixdd dot de
Description: ------------ It concerns select (v1.26), hierselect (uses select) and hiddenselect (v1.3): HTML special chars ("&<>) in values and element names (hiddenselect only) results in non valid HTML code. Reproduce code: --------------- $options = array('key"<&>"' => 'foo"<&>"'); $form->addElement('select', 'name"<&>"', 'Label', $options); for hiddenselect change 'select' to 'hiddenselect' These patches will resolve the issues: --- select.php 11 Mar 2005 21:05:34 -0000 1.1.1.1 +++ select.php 28 May 2005 15:24:07 -0000 @@ -489,7 +489,7 @@ $this->_updateAttrArray($option['attr'], array('selected' => 'selected')); } $strHtml .= $tabs . "\t<option" . $this->_getAttrString($option['attr']) . '>' . - $option['text'] . "</option>\n"; + htmlspecialchars($option['text']) . "</option>\n"; } return $strHtml . $tabs . '</select>'; @@ -519,7 +519,8 @@ } } } - $html = empty($value)? ' ': join('<br />', $value); + $uid = uniqid(''); + $html = empty($value)? ' ': str_replace($uid, '<br />', htmlspecialchars(join($uid, $value))); if ($this->_persistantFreeze) { $name = $this->getPrivateName(); // Only use id attribute if doing single hidden input --- hiddenselect.php 11 Mar 2005 21:05:34 -0000 1.1.1.1 +++ hiddenselect.php 28 May 2005 15:46:22 -0000 @@ -79,7 +79,7 @@ foreach ($this->_values as $key => $val) { for ($i = 0, $optCount = count($this->_options); $i < $optCount; $i++) { if ($val == $this->_options[$i]['attr']['value']) { - $strHtml .= $tabs . '<input type="hidden" name="' . $name . '" value="' . $val . '" />' . "\n"; + $strHtml .= $tabs . '<input type="hidden" name="' . htmlspecialchars($name) . '" value="' . htmlspecialchars($val) . '" />' . "\n"; } } } Expected result: ---------------- select/hierselect: <select name="name"<&>""> <option value="key"<&>"" selected="selected">foo"<&>"</option> </select> hiddenselect: <input type="hidden" name="name"<&>"" value="key"<&>"" /> Actual result: -------------- select: <select name="name"<&>""> <option value="key"<&>"" selected="selected">foo"<&>"</option> </select> hiddenselect: <input type="hidden" name="name"<&>"" value="key"<&>"" />

Comments

 [2005-05-28 17:02 UTC] avb
The part dealing with option texts will not be fixed (see last comment for bug #2572). The part dealing with attribute values in hiddenselect will definitely be fixed.
 [2005-05-29 07:44 UTC] pear at felixdd dot de
But there is no chance to maipulate options text when populating by loadDbResult or loadQuery. I don't want to contaminate my database data with output dependend formatting stuff. So I suggest to implement e.g. a callback function.
 [2005-06-24 18:06 UTC] avb
Generation of invalid HTML attribute values was fixed in CVS. As for adding a callback for loadDbQuery(), I suggest you go the true OO way and write a Decorator around DB_Result instead.