Skip to content
Browse files

Disallow hexadecimal input with inList.

Instead of turning on/off strict mode based on the user supplied input,
cast everything to strings and always use a strict check. This avoids
the potential issue of a bad user using hexadecimal when they should not
be allowed to do so. Thanks to 'Kurita Takashi' for pointing this out.
  • Loading branch information...
markstory committed Jul 4, 2014
1 parent 1988e89 commit 3936cce4b8c6fea315fd0010d0244d70a4c40b6a
Showing with 7 additions and 4 deletions.
  1. +4 −0 lib/Cake/Test/Case/Utility/ValidationTest.php
  2. +3 −4 lib/Cake/Utility/Validation.php
@@ -1979,6 +1979,10 @@ public function testInList() {
$this->assertFalse(Validation::inList(2, array('1', '2x', '3')));
$this->assertFalse(Validation::inList('One', array('one', 'two')));
// No hexadecimal for numbers.
$this->assertFalse(Validation::inList('0x7B', array('ABC', '123')));
$this->assertFalse(Validation::inList('0x7B', array('ABC', 123)));
// case insensitive
$this->assertTrue(Validation::inList('one', array('One', 'Two'), true));
$this->assertTrue(Validation::inList('Two', array('one', 'two'), true));
@@ -800,14 +800,13 @@ public static function url($check, $strict = false) {
* @return bool Success.
public static function inList($check, $list, $caseInsensitive = false) {
$strict = !is_numeric($check);
if ($caseInsensitive) {
$list = array_map('mb_strtolower', $list);
$check = mb_strtolower($check);
} else {
$list = array_map('strval', $list);
return in_array((string)$check, $list, $strict);
return in_array((string)$check, $list, true);

0 comments on commit 3936cce

Please sign in to comment.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.