I often add classes to my inputs by passing 'class="classname"' as the $addtext variable into CreateInputText, CreateInputSubmit, etc. Works like a charm.
However, I wanted to add a class to my form today. When I pass in the same - 'classname="formclass"' - as the $extra variable, things go crazy. The same issue arises if I pass in some javascript.
I did a little digging, and it seems cms_module_CreateFormStart in module.inc.php runs cms_htmlentities on the $extra parameter, while cms_module_CreateInputText and other functions DO NOT use cms_htmlentities on their $addtext parameter.
My question is - Why do this when creating a form, but not when creating an input? Is there a security issue this fixes? I can't imagine so, since the $extra parameter is passed in programmatically, not through user input.
The easy fix is to just pass in 'classname=formclass' ... browsers recognize this, and my css works fine. However, it doesn't validate.
cms_module_CreateFormStart - why cms_htmlentities on $extra?
Re: cms_module_CreateFormStart - why cms_htmlentities on $extra?
Yeah, that has been a problem for a long time now. I suppose you can either fix the problem yourself by editing that file for you can download my module (DL Suite: Support) and use the function NewFormStart or something like that. It works basically the same as CreateFormStart. Basically, I wrote that because I didn't want to overwrite anything in the core files.
