[#ZF-9412] 1. Accessing a value is a bug or a feature? 2. escapeFilter option is a bug or a feature? - Zend Framework Issue Tracker

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Not an Issue
Affects Version/s: 1.9.6, 1.10.2
Fix Version/s: 1.10.3
Component/s: Zend_Filter_Input
Labels:
None

Description

This is a test code:
<?php
require_once('Zend/Filter/Input.php');

$options = array(
'escapeFilter' => array('StringTrim'),
'breakChainOnFailure' => true,
'presence' => 'required'
);

$filters = array('account' => 'StringToUpper');
$validators = array('account' => 'Alpha');

$data['account'] = 'sdfgsdgGRDW';
$input = new Zend_Filter_Input($filters, $validators, $data, $options);

if ($input->isValid()) {
var_dump('Hooray');
for($i = 0; $i < 5; $i++){ var_dump($input->account); }
} else { var_dump('Not valid'); }
?>

1. Just did run the Zend_Filter_Input througt the Xdebug and found that accessing the value($input->account) generate a getEscaped() functionality by default which was done when you access the isValid(). My opinion it should use the "getUnescaped()" by default if you used the isValid().

2. if a value of $data['account'] is ' sdfgsdgGRDW', has the white spaces, it returns the 'Not valid' result. It does not care that my 'escapeFilter' is the 'StringTrim'. Should it go through the Filters first and then Validations?

Cheers

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Thomas Weidner added a comment - 12/Mar/10 3:16 PM

to 1.)
When calling __get (also explicit) getEscaped() is correct.
For security reasons Zend_Filter_Input will always return a value which conforms the security.

to 2.)
According to the manual the espaceFilters are processed AFTER validation (different than the other filters). Returning a FALSE is correct within the given examples.

Show

Thomas Weidner added a comment - 12/Mar/10 3:16 PM to 1.) When calling __get (also explicit) getEscaped() is correct. For security reasons Zend_Filter_Input will always return a value which conforms the security. to 2.) According to the manual the espaceFilters are processed AFTER validation (different than the other filters). Returning a FALSE is correct within the given examples.

Hide

Permalink

Thomas Weidner added a comment - 13/Mar/10 1:33 AM

Closing as non-issue

Show

Thomas Weidner added a comment - 13/Mar/10 1:33 AM Closing as non-issue

Hide

Permalink

Oleg Demeshev added a comment - 14/Mar/10 12:59 PM

to 2.) Then the Zend_Filter_Input (espaceFilters(StringTriom) documentation is wrong, isn't it? Cause it will never work. This code is basically from documentation:

<?php
require_once('Zend/Filter/Input.php');

$options = array('escapeFilter' => array('StringTrim'));
$filters = array('account' => 'StringToUpper');
$validators = array('account' => 'Alpha');

$data['account'] = ' sdfgsdgGRDW ';
$input = new Zend_Filter_Input($filters, $validators, $data, $options);

if ($input->isValid()) { var_dump('Valid');}
else { var_dump('Not valid'); }
?>

Show

Oleg Demeshev added a comment - 14/Mar/10 12:59 PM to 2.) Then the Zend_Filter_Input (espaceFilters(StringTriom) documentation is wrong, isn't it? Cause it will never work. This code is basically from documentation: <?php require_once('Zend/Filter/Input.php'); $options = array('escapeFilter' => array('StringTrim')); $filters = array('account' => 'StringToUpper'); $validators = array('account' => 'Alpha'); $data['account'] = ' sdfgsdgGRDW '; $input = new Zend_Filter_Input($filters, $validators, $data, $options); if ($input->isValid()) { var_dump('Valid');} else { var_dump('Not valid'); } ?>

Hide

Permalink

Thomas Weidner added a comment - 14/Mar/10 1:21 PM - edited

Why should the example not work?
The examples within manual are very clear.

And directly below the example you are referring to you can read:

Filters to escape output should be run in this way, to make sure they run after validation. Other filters you declare in the array of filter rules are applied to input data before data are validated. If escaping filters were run before validation, the process of validation would be more complex, and it would be harder to provide both escaped and unescaped versions of the data. So it is recommended to declare filters to escape output using setDefaultEscapeFilter(), not in the $filters array.

Show

Thomas Weidner added a comment - 14/Mar/10 1:21 PM - edited Why should the example not work? The examples within manual are very clear. And directly below the example you are referring to you can read:

Filters to escape output should be run in this way, to make sure they run after validation. Other filters you declare in the array of filter rules are applied to input data before data are validated. If escaping filters were run before validation, the process of validation would be more complex, and it would be harder to provide both escaped and unescaped versions of the data. So it is recommended to declare filters to escape output using setDefaultEscapeFilter(), not in the $filters array.

Hide

Permalink

Oleg Demeshev added a comment - 14/Mar/10 2:09 PM

Sorry, somehow lost this part.

Show

Oleg Demeshev added a comment - 14/Mar/10 2:09 PM Sorry, somehow lost this part.

People

Assignee:

Thomas Weidner

Reporter:

Oleg Demeshev

Vote (0)

Watch (0)

Dates

Created:

11/Mar/10 7:23 PM

Updated:

14/Mar/10 2:09 PM

Resolved:

13/Mar/10 1:33 AM