Issues

ZF-3563: Zend_Form_Element_Multi, when validating, do not confirm that the value is a valid selection

Description

It seems that the Zend_Form_Element_Multi can validate even though the data presented by the user does not match a valid option.

Example case: Create a form with a select box, such as "Title" with the options "Mr" and "Mrs". If a user POSTs results that contain "foo", it will still validate. While there are cases where you may wish to skip this kind of check, it strikes me as a serious hole in the validation strategy, specifically from a security standpoint.

I'm very much a newbie to Zend_Form, but I've attached a patch that seems to fix the problem for single and multi-selects.

Comments

P.S.:

In retrospect, this might be better solved in some cases with an automatic addition of the InArray filter (Zend_Validate_InArray)... I'm not sure how best to fix this issue, if it it should be fixed.

I guess the main point is that this is somewhere that there was a breakdown between developer assumptions of how Zend_Form's validation worked versus it's actual effects, and the proper action might be a documentation change instead.

I'm going to agree that an InArray validator should be added by default, and am scheduling for 1.6.

Closed with ZF-3286

Updating for the 1.6.0 release.