New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolved a bug with the form_hidden function when having multiple forms. #2053
Conversation
…ms with identical field names that would cause field attributes to not be encoded properly
Isn't that fixed in the develop branch? |
That's quite possible. When I looked at the form helper, it looked like the static variable wasn't being cleared out on form close, which is the root cause of this problem. It's quite possible I missed it though. |
Yes, that function was indeed broken, but I'm pretty confident that this is already fixed in the development code. The following is its latest version:
|
Looks like this wouldn't suffer from the bug as it isn't using a static variable at all. The old version had problems because the field name was being stored statically so that identical field names in the same form weren't sanitized again. I don't know if that behavior is desired or not. My changes preserve the static variable approach, bit this new function should work just as well, albeit potentially B2B slower since fields may be sanitized unnecessarily. The performance impact would likely be next to nothing however. That's how I see it through, and I could be wrong. |
Yeah, the old implementation was either seriously flawed or back in the day you needed to do a lot more than a simple |
Is there a particular reason why the new implementation isn't using the htmlspecialchars function? |
The code is pretty self-explaining - textarea elements only need less-than and greater-than to be escaped, while attributes (supposedly 'value' in our case) use quotes as the delimiter. Why would you need to use |
I have JSON in my value attributes. With those having quotes all scattered throughout, woudln't it be important to have the " in the JSON converted to the htmlsafe text? |
I looked at that again, yeah, that should work fine. (Sorry, it's early morning here.) It looks like my changes aren't needed anymore. I just wanted to make sure we weren't missing something somehow. |
OK, closing then. |
Identical field names in the same page but diff forms would cause output to not be encoded properly.