| Package home | Report new bug | New search | Development Roadmap | Status: Open | Feedback | All | Closed Since Version 3.2.16 |
| Bug #4463 | select, hiddenselect and hierselect produce non valid html code | ||
|---|---|---|---|
| Submitted: | 2005-05-28 15:50 UTC | ||
| From: | pear at felixdd dot de | Assigned: | avb |
| Status: | Closed | Package: | HTML_QuickForm |
| PHP Version: | Irrelevant | OS: | |
| Roadmaps: | (Not assigned) | ||
[2005-05-28 15:50 UTC] pear at felixdd dot de
Description:
------------
It concerns select (v1.26), hierselect (uses select) and hiddenselect (v1.3):
HTML special chars ("&<>) in values and element names (hiddenselect only) results in non valid HTML code.
Reproduce code:
---------------
$options = array('key"<&>"' => 'foo"<&>"');
$form->addElement('select', 'name"<&>"', 'Label', $options);
for hiddenselect change 'select' to 'hiddenselect'
These patches will resolve the issues:
--- select.php 11 Mar 2005 21:05:34 -0000 1.1.1.1
+++ select.php 28 May 2005 15:24:07 -0000
@@ -489,7 +489,7 @@
$this->_updateAttrArray($option['attr'], array('selected' => 'selected'));
}
$strHtml .= $tabs . "\t<option" . $this->_getAttrString($option['attr']) . '>' .
- $option['text'] . "</option>\n";
+ htmlspecialchars($option['text']) . "</option>\n";
}
return $strHtml . $tabs . '</select>';
@@ -519,7 +519,8 @@
}
}
}
- $html = empty($value)? ' ': join('<br />', $value);
+ $uid = uniqid('');
+ $html = empty($value)? ' ': str_replace($uid, '<br />', htmlspecialchars(join($uid, $value)));
if ($this->_persistantFreeze) {
$name = $this->getPrivateName();
// Only use id attribute if doing single hidden input
--- hiddenselect.php 11 Mar 2005 21:05:34 -0000 1.1.1.1
+++ hiddenselect.php 28 May 2005 15:46:22 -0000
@@ -79,7 +79,7 @@
foreach ($this->_values as $key => $val) {
for ($i = 0, $optCount = count($this->_options); $i < $optCount; $i++) {
if ($val == $this->_options[$i]['attr']['value']) {
- $strHtml .= $tabs . '<input type="hidden" name="' . $name . '" value="' . $val . '" />' . "\n";
+ $strHtml .= $tabs . '<input type="hidden" name="' . htmlspecialchars($name) . '" value="' . htmlspecialchars($val) . '" />' . "\n";
}
}
}
Expected result:
----------------
select/hierselect:
<select name="name"<&>"">
<option value="key"<&>"" selected="selected">foo"<&>"</option>
</select>
hiddenselect:
<input type="hidden" name="name"<&>"" value="key"<&>"" />
Actual result:
--------------
select:
<select name="name"<&>"">
<option value="key"<&>"" selected="selected">foo"<&>"</option>
</select>
hiddenselect:
<input type="hidden" name="name"<&>"" value="key"<&>"" />
Comments
[2005-05-28 17:02 UTC] avb
The part dealing with option texts will not be fixed (see last comment for bug #2572). The part dealing with attribute values in hiddenselect will definitely be fixed.
[2005-05-29 07:44 UTC] pear at felixdd dot de
But there is no chance to maipulate options text when populating by loadDbResult or loadQuery. I don't want to contaminate my database data with output dependend formatting stuff.
So I suggest to implement e.g. a callback function.
[2005-06-24 18:06 UTC] avb
Generation of invalid HTML attribute values was fixed in CVS.
As for adding a callback for loadDbQuery(), I suggest you go the true OO way and write a Decorator around DB_Result instead.