ZF-3563: Zend_Form_Element_Multi, when validating, do not confirm that the value is a valid selection
Description
It seems that the Zend_Form_Element_Multi can validate even though the data presented by the user does not match a valid option.
Example case: Create a form with a select box, such as "Title" with the options "Mr" and "Mrs". If a user POSTs results that contain "foo", it will still validate. While there are cases where you may wish to skip this kind of check, it strikes me as a serious hole in the validation strategy, specifically from a security standpoint.
I'm very much a newbie to Zend_Form, but I've attached a patch that seems to fix the problem for single and multi-selects.
Comments
Posted by Darien Hager (hagerd) on 2008-07-07T10:45:04.000+0000
P.S.:
In retrospect, this might be better solved in some cases with an automatic addition of the InArray filter (Zend_Validate_InArray)... I'm not sure how best to fix this issue, if it it should be fixed.
I guess the main point is that this is somewhere that there was a breakdown between developer assumptions of how Zend_Form's validation worked versus it's actual effects, and the proper action might be a documentation change instead.
Posted by Matthew Weier O'Phinney (matthew) on 2008-08-04T06:15:11.000+0000
I'm going to agree that an InArray validator should be added by default, and am scheduling for 1.6.
Posted by Matthew Weier O'Phinney (matthew) on 2008-08-04T13:26:55.000+0000
Closed with ZF-3286
Posted by Wil Sinclair (wil) on 2008-09-02T10:38:52.000+0000
Updating for the 1.6.0 release.