ZF-12165: Warning: htmlspecialchars() expects parameter 1 to be string, array given in \Zend\View\Abstract.php on line 905

Issue Type:
Bug
Created:
2012-04-20T15:11:41.000+0000
Last Updated:
2012-07-24T07:55:46.000+0000
Status:
Resolved
Fix version(s):
    Reporter:
    John Brown (johniskew)
    Assignee:
    Matthew Weier O'Phinney (matthew)
    Tags:
    • Zend_View
    Related issues:
    Attachments:

    Description

    If a user submits an array instead of an expected string for "non-array" form fields, this warning is generated.

    Simple test:

    $form->setMethod('get'); $q = new Zend_Form_Element_Text('q'); $form->addElement($q);

    Submit the form. Edit the address bar to be 'q[]=' instead of 'q=' and the Zend View will emit the warning.

    Comments

    Posted by Matthew Weier O'Phinney (matthew) on 2012-04-20T16:21:47.000+0000

    I'd argue this is expected and reasonable behavior. The error occurs when you try and pass an invalid value to be rendered; as such, you should correct your form.

    Posted by John Brown (johniskew) on 2012-04-20T17:24:17.000+0000

    I think you're looking at it from a different view than I am. In the example the form element does expect a string, and the developer should only expecting a string. However a "malicious" user can quite simply edit the URL to include the [].

    http://host/form.php?q=hello vs http://host/form.php?q[]=hello.

    Then that breaks the underlying Zend escaping mechanism. This shouldnt require developer intervention to fix that. We can do all the filtering/validation on the zend form end, but once the variable gets to the zend view end it will break.

    Posted by Vatturi Srinivas (srinivas) on 2012-07-24T05:35:53.000+0000

    Warning: htmlspecialchars() expects parameter 1 to be string, array given in \Zend\View\Abstract.php on line 905 is getting when I am not navigating to another page.(I am dispalying that form at html page).

    Code: $this->setMethod('post'); $this->setAction('/index/save'); $first=new Zend_Form_Element_Text("first"); $first->setLabel("First Name"); $first->setAttrib('id','first'); $first->setAttrib('name','first'); $first->setAttrib('class','required'); $last=new Zend_Form_Element_Text("last"); $last->setAttrib('id','last'); $last->setLabel("Last Name"); $last->setAttrib('class','required'); $email=new Zend_Form_Element_Text("email"); $email->setAttrib('id','email'); $email->setAttrib('name','email'); $email->setLabel('UserId : '); $password = new Zend_Form_Element_Password("password"); $password ->setLabel('Password:'); $password ->setAttribs(array('id'=>'password', 'name'=>'password'));

        $submit=new Zend_Form_Element_Submit('submit');
    $submit->setAttrib('name','register');
    $submit->setAttrib('id','register');
    $submit->setValue('Submit');
    $this->addElements(array($email,$password,$first,$last,$submit));

    In the above code, I am getting that warning only for the text element 'email'.

    Posted by Frank Brückner (frosch) on 2012-07-24T07:55:46.000+0000

    @Vatturi

    I can not reproduce your problem. I have tested your form in a standard application environment and as a stand alone form. Please test the form outside your application.

    You do not need {{setMethod('post')}}, {{setAttrib('id', …)}} or {{setAttrib('name', …)}}:

    
$this->setAction('/index/save');

$first = new Zend_Form_Element_Text('first');
$first->setLabel('First Name');
$first->setAttrib('class', 'required');

$last = new Zend_Form_Element_Text('last');
$last->setLabel('Last Name');
$last->setAttrib('class', 'required');

$email = new Zend_Form_Element_Text('email');
$email->setLabel('UserId : ');

$password = new Zend_Form_Element_Password('password');
$password->setLabel('Password:');

$submit = new Zend_Form_Element_Submit('submit');
$submit->setLabel('Submit');

$this->addElements(array($email, $password, $first, $last, $submit));

    You will get the same HTML output.