Issue Type: Improvement Created: 2008-07-02T16:51:06.000+0000 Last Updated: 2008-09-02T10:38:52.000+0000 Status: Resolved Fix version(s): - 1.6.0 (02/Sep/08)
Reporter: Darien Hager (hagerd) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Form
Related issues: - ZF-3286
Attachments: - zend_multi_fix.patch
It seems that the Zend_Form_Element_Multi can validate even though the data presented by the user does not match a valid option.
Example case: Create a form with a select box, such as "Title" with the options "Mr" and "Mrs". If a user POSTs results that contain "foo", it will still validate. While there are cases where you may wish to skip this kind of check, it strikes me as a serious hole in the validation strategy, specifically from a security standpoint.
I'm very much a newbie to Zend_Form, but I've attached a patch that seems to fix the problem for single and multi-selects.
Posted by Darien Hager (hagerd) on 2008-07-07T10:45:04.000+0000
In retrospect, this might be better solved in some cases with an automatic addition of the InArray filter (Zend_Validate_InArray)... I'm not sure how best to fix this issue, if it it should be fixed.
I guess the main point is that this is somewhere that there was a breakdown between developer assumptions of how Zend_Form's validation worked versus it's actual effects, and the proper action might be a documentation change instead.
Posted by Matthew Weier O'Phinney (matthew) on 2008-08-04T06:15:11.000+0000
I'm going to agree that an InArray validator should be added by default, and am scheduling for 1.6.
Posted by Matthew Weier O'Phinney (matthew) on 2008-08-04T13:26:55.000+0000
Closed with ZF-3286
Posted by Wil Sinclair (wil) on 2008-09-02T10:38:52.000+0000
Updating for the 1.6.0 release.
Have you found an issue?
See the Overview section for more details.