Zend Framework

Zend_Filter_Input::_escapeRecursive($data) applies defaultEscapeFilter when $data is an object.

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Critical Critical
  • Resolution: Won't Fix
  • Affects Version/s: 1.8.0
  • Fix Version/s: 1.10.0
  • Component/s: Zend_Filter_Input
  • Labels:
    None

Description

I created a custom filter called ToDate wich returns a Zend_Date object. So, i'm using this after validating a date field with Zend_Validate_Date. Thus, i can apply custom date validators on it and, finally, convert to 'yyyy-mm-dd' format in order to save the row object in database. But when i call Zend_Filter_Input::getEscaped(), i get a date string, because defaultEscapeFilter is applied on the value in _escapeRecursive(). I think the correction in Zend_Filter_Input::_escapeRecursive() is quite simple:

change:

if (!is_array($data)) { return $this->_getDefaultEscapeFilter()->filter($data); }

to:
if (!is_array($data) && !is_object($data)) { return $this->_getDefaultEscapeFilter()->filter($data); } }

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Thomas Weidner added a comment -

This would not work.

Your change would force objects to be run through the foreach loop which causes a warning as objects are casted to string. And the API of getEscaped() declares that the input value has to be a string and not a object.

Using this I would simply define a own Default Filter which accepts and returns objects.

Show
Thomas Weidner added a comment - This would not work. Your change would force objects to be run through the foreach loop which causes a warning as objects are casted to string. And the API of getEscaped() declares that the input value has to be a string and not a object. Using this I would simply define a own Default Filter which accepts and returns objects.
Hide
Permalink
Thomas Weidner added a comment -

Additionally I would not know how escaping of a object should work.
Escaping can only be applied to a string. Therefor a casting is expected behaviour.

Show
Thomas Weidner added a comment - Additionally I would not know how escaping of a object should work. Escaping can only be applied to a string. Therefor a casting is expected behaviour.
Hide
Permalink
Thomas Weidner added a comment -

Closing this issue as Won't Fix after a short discussion with the dev-team.

Reason:
getEscaped() escapes data which is intended for usage within the View. This method does not handle non native types. What should be escaped within an object? It would be casted to an string in any case.

Therefor there is no solution for the described case. You would have to extend the needed classes to provide the methodology you wish.

Show
Thomas Weidner added a comment - Closing this issue as Won't Fix after a short discussion with the dev-team. Reason: getEscaped() escapes data which is intended for usage within the View. This method does not handle non native types. What should be escaped within an object? It would be casted to an string in any case. Therefor there is no solution for the described case. You would have to extend the needed classes to provide the methodology you wish.

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.