From ed435870ae0b15380b92ba1373983c9e66ebd26c Mon Sep 17 00:00:00 2001 From: mark_story Date: Fri, 12 Apr 2013 12:28:40 -0400 Subject: [PATCH] Fix secure field lists when select elements have custom name attributes. When a select element had a custom name attribute the secured field name was incorrect. Fixes #3753 --- .../Test/Case/View/Helper/FormHelperTest.php | 27 ++++++++++++++++++- lib/Cake/View/Helper/FormHelper.php | 27 +++++++++++++------ 2 files changed, 45 insertions(+), 9 deletions(-) diff --git a/lib/Cake/Test/Case/View/Helper/FormHelperTest.php b/lib/Cake/Test/Case/View/Helper/FormHelperTest.php index 24f9931c6ce..185f6b86356 100644 --- a/lib/Cake/Test/Case/View/Helper/FormHelperTest.php +++ b/lib/Cake/Test/Case/View/Helper/FormHelperTest.php @@ -1200,7 +1200,8 @@ public function testFormSecuredInput() { $this->assertTags($result, $expected); $result = $this->Form->hidden('UserForm.stuff'); - $expected = array('input' => array( + $expected = array( + 'input' => array( 'type' => 'hidden', 'name' => 'data[UserForm][stuff]', 'id' => 'UserFormStuff' )); @@ -1256,6 +1257,30 @@ public function testFormSecuredInput() { $this->assertTags($result, $expected); } +/** + * Test secured inputs with custom names. + * + * @return void + */ + public function testSecuredInputCustomName() { + $this->Form->request['_Token'] = array('key' => 'testKey'); + $this->assertEquals(array(), $this->Form->fields); + + $this->Form->input('text_input', array( + 'name' => 'data[Option][General.default_role]', + )); + $expected = array('Option.General.default_role'); + $this->assertEquals($expected, $this->Form->fields); + + $this->Form->input('select_box', array( + 'name' => 'data[Option][General.select_role]', + 'type' => 'select', + 'options' => array(1, 2), + )); + $expected = array('Option.General.default_role', 'Option.General.select_role'); + $this->assertEquals($expected, $this->Form->fields); + } + /** * Tests that the correct keys are added to the field hash index * diff --git a/lib/Cake/View/Helper/FormHelper.php b/lib/Cake/View/Helper/FormHelper.php index 578a6a63823..2711dd5c7c4 100644 --- a/lib/Cake/View/Helper/FormHelper.php +++ b/lib/Cake/View/Helper/FormHelper.php @@ -9,7 +9,7 @@ * * @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org) * @link http://cakephp.org CakePHP(tm) Project - * @package Cake.View.Helper + * @package Cake.View.Helper * @since CakePHP(tm) v 0.10.0.1076 * @license MIT License (http://www.opensource.org/licenses/mit-license.php) */ @@ -2015,7 +2015,7 @@ public function select($fieldName, $options = array(), $attributes = array()) { empty($attributes['disabled']) && (!empty($attributes['multiple']) || $hasOptions) ) { - $this->_secure(true); + $this->_secure(true, $this->_secureFieldName($attributes)); } $select[] = $this->Html->useTag($tag, $attributes['name'], array_diff_key($attributes, array('name' => null, 'value' => null))); } @@ -2828,16 +2828,27 @@ protected function _initInputField($field, $options = array()) { $result['required'] = true; } - $fieldName = null; - if (!empty($options['name'])) { + $this->_secure($secure, $this->_secureFieldName($options)); + return $result; + } + +/** + * Get the field name for use with _secure(). + * + * Parses the name attribute to create a dot separated name value for use + * in secured field hash. + * + * @param array $options An array of options possibly containing a name key. + * @return string|null + */ + protected function _secureFieldName($options) { + if (isset($options['name'])) { preg_match_all('/\[(.*?)\]/', $options['name'], $matches); if (isset($matches[1])) { - $fieldName = $matches[1]; + return $matches[1]; } } - - $this->_secure($secure, $fieldName); - return $result; + return null; } /**