ZF-9412: 1. Accessing a value is a bug or a feature? 2. escapeFilter option is a bug or a feature?

Issue Type: Bug Created: 2010-03-11T19:23:18.000+0000 Last Updated: 2010-03-14T14:09:20.000+0000 Status: Resolved Fix version(s): - 1.10.3 (01/Apr/10)

Reporter: Oleg Demeshev (01eg) Assignee: Thomas Weidner (thomas) Tags: - Zend_Filter_Input

Related issues: Attachments:


This is a test code: array('StringTrim'), 'breakChainOnFailure' => true, 'presence' => 'required' ); $filters = array('account' => 'StringToUpper'); $validators = array('account' => 'Alpha'); $data['account'] = 'sdfgsdgGRDW'; $input = new Zend\_Filter\_Input($filters, $validators, $data, $options); if ($input->isValid()) { var\_dump('Hooray'); for($i = 0; $i < 5; $i++){ var\_dump($input->account); } } else { var\_dump('Not valid'); } ?>

  1. Just did run the Zend_Filter_Input througt the Xdebug and found that accessing the value($input->account) generate a getEscaped() functionality by default which was done when you access the isValid(). My opinion it should use the "getUnescaped()" by default if you used the isValid().
  2. if a value of $data['account'] is ' sdfgsdgGRDW', has the white spaces, it returns the 'Not valid' result. It does not care that my 'escapeFilter' is the 'StringTrim'. Should it go through the Filters first and then Validations?



Posted by Thomas Weidner (thomas) on 2010-03-12T15:16:45.000+0000

to 1.) When calling __get (also explicit) getEscaped() is correct. For security reasons Zend_Filter_Input will always return a value which conforms the security.

to 2.) According to the manual the espaceFilters are processed AFTER validation (different than the other filters). Returning a FALSE is correct within the given examples.

Posted by Thomas Weidner (thomas) on 2010-03-13T01:33:23.000+0000

Closing as non-issue

Posted by Oleg Demeshev (01eg) on 2010-03-14T12:59:56.000+0000

to 2.) Then the Zend_Filter_Input (espaceFilters(StringTriom) documentation is wrong, isn't it? Cause it will never work. This code is basically from documentation:

array('StringTrim')); $filters = array('account' => 'StringToUpper'); $validators = array('account' => 'Alpha'); $data['account'] = ' sdfgsdgGRDW '; $input = new Zend\_Filter\_Input($filters, $validators, $data, $options); if ($input->isValid()) { var\_dump('Valid');} else { var\_dump('Not valid'); } ?>

Posted by Thomas Weidner (thomas) on 2010-03-14T13:21:21.000+0000

Why should the example not work? The examples within manual are very clear.

And directly below the example you are referring to you can read: {quote} Filters to escape output should be run in this way, to make sure they run after validation. Other filters you declare in the array of filter rules are applied to input data before data are validated. If escaping filters were run before validation, the process of validation would be more complex, and it would be harder to provide both escaped and unescaped versions of the data. So it is recommended to declare filters to escape output using setDefaultEscapeFilter(), not in the $filters array. {quote}

Posted by Oleg Demeshev (01eg) on 2010-03-14T14:09:19.000+0000

Sorry, somehow lost this part.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.