[dev] [cvs] commit: framework/Form/Form Renderer.php

[Chuck Hagenbuch]

Quoting Jan Schneider <jan at horde.org>:

> This could potentially break some GET forms. If we set the action to a
> URL that contains parameters, these parameters usually are encoded
> through Horde::url already. Applying htmlspecialchars() would escape
> them twice. This shouldn't affect POST forms though because any URL
> parameters should be ignored there.

If we have places we do that, then yes. I'll need to revert it and do  
the escaping in each form. Even with GET forms we should be specifying  
additional parameters as hidden variables, not in the URL, ideally.

> And I don't see how it is necessary for method at all, since we only
> use constant strings in the code and the number of valid method is
> quite limited. Doesn't hurt either of course.

Yeah, that was just being cautious. Could even just hardcode it to  
post or get based on a simple if.

-chuck

-- 
"we are plastered to the windshield of the bus that is time." - Chris