Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixing blackholes caused by using custom name attributes with inputs.…

… Fixes #1489
  • Loading branch information...
commit 5464ed845594047b47285abd1afdc6506c3e0bc2 1 parent 38e286e
@markstory markstory authored
View
11 cake/libs/view/helpers/form.php
@@ -2190,10 +2190,19 @@ function _initInputField($field, $options = array()) {
} else {
$secure = (isset($this->params['_Token']) && !empty($this->params['_Token']));
}
+
+ $fieldName = null;
+ if ($secure && !empty($options['name'])) {
+ preg_match_all('/\[(.*?)\]/', $options['name'], $matches);
+ if (isset($matches[1])) {
+ $fieldName = $matches[1];
+ }
+ }
+
$result = parent::_initInputField($field, $options);
if ($secure) {
- $this->__secure();
+ $this->__secure($fieldName);
}
return $result;
}
View
15 cake/tests/cases/libs/view/helpers/form.test.php
@@ -1084,6 +1084,21 @@ function testFormSecurityInputDisabledFields() {
}
/**
+ * test securing inputs with custom name attributes.
+ *
+ * @return void
+ */
+ function testFormSecureWithCustomNameAttribute() {
+ $this->Form->params['_Token']['key'] = 'testKey';
+
+ $this->Form->text('UserForm.published', array('name' => 'data[User][custom]'));
+ $this->assertEqual('User.custom', $this->Form->fields[0]);
+
+ $this->Form->text('UserForm.published', array('name' => 'data[User][custom][another][value]'));
+ $this->assertEqual('User.custom.another.value', $this->Form->fields[1]);
+ }
+
+/**
* testFormSecuredInput method
*
* Test generation of entire secure form, assertions made on input() output.
Please sign in to comment.
Something went wrong with that request. Please try again.