[dev] [cvs] commit: framework/Form/Form Renderer.php
Jan Schneider
jan at horde.org
Mon May 29 01:01:31 PDT 2006
Zitat von Chuck Hagenbuch <chuck at horde.org>:
> chuck 2006-05-28 09:53:06 PDT
>
> Modified files:
> Form/Form Renderer.php
> Log:
> make sure to escape action and method also.
>
> Revision Changes Path
> 1.212 +3 -1 framework/Form/Form/Renderer.php
This could potentially break some GET forms. If we set the action to a
URL that contains parameters, these parameters usually are encoded
through Horde::url already. Applying htmlspecialchars() would escape
them twice. This shouldn't affect POST forms though because any URL
parameters should be ignored there.
And I don't see how it is necessary for method at all, since we only
use constant strings in the code and the number of valid method is
quite limited. Doesn't hurt either of course.
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
More information about the dev
mailing list