ZF-9388: escape = false ignored on Zend_Form_Element_MultiSelect options

Issue Type: Sub-task Created: 2010-03-10T03:05:58.000+0000 Last Updated: 2012-11-20T21:37:29.000+0000 Status: Open Fix version(s): Reporter: Andrew Coghlan ( Assignee: None Tags: - Zend_Form

Related issues: - ZF-7403



Further to the issue I reported last year which was marked as resolved - issue 7403:

It is not possible to pass options to a multi-select form without them being escaped, regardless of the options passed in with the ViewHelper decorator. I reported this in v1.8.2 originally, although I'm now on 1.10.2 and it is the same. All code lines below refer to ZF ver 1.10.2.

When rendering the Zend_Form_Element_MultiSelect element, the "escape = false" option does not get referenced. Refer to lines 158 to 172 of Zend_View_Helper_FormSelect where the code is as follows:

    $opt = '<option'
         . ' value="' . $this->view->escape($value) . '"'
         . ' label="' . $this->view->escape($label) . '"';

    // selected?
    if (in_array((string) $value, $selected)) {
        $opt .= ' selected="selected"';

    // disabled?
    if (in_array($value, $disable)) {
        $opt .= ' disabled="disabled"';

    $opt .= '>' . $this->view->escape($label) . "</option>";

As you can see, the content within the option tag is escaped without any option to not escape it.


Posted by Christian Albrecht (alab) on 2010-03-11T01:29:08.000+0000

Not an issue

Posted by Christian Albrecht (alab) on 2010-03-11T02:35:20.000+0000

I must revert my Statement it is an issue, but it is not so easy to fix, because Zend_View->escape($val); always call_user_func with the value.

So one could do a bad hack like Zend_View->setEscape('trim') or similar but this leads to other issues.

The other solution could be to give Zend_Form_Decorator_ViewHelper a new method callbackReturnUnescaped($val) and do

if (false === $this->getOption('escape')) { Zend_View->setEscape(array($this,'callbackReturnUnescaped')); }

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.