cms_module_CreateFormStart - why cms_htmlentities on $extra?
Posted: Tue Sep 09, 2008 10:13 pm
I often add classes to my inputs by passing 'class="classname"' as the $addtext variable into CreateInputText, CreateInputSubmit, etc. Works like a charm.
However, I wanted to add a class to my form today. When I pass in the same - 'classname="formclass"' - as the $extra variable, things go crazy. The same issue arises if I pass in some javascript.
I did a little digging, and it seems cms_module_CreateFormStart in module.inc.php runs cms_htmlentities on the $extra parameter, while cms_module_CreateInputText and other functions DO NOT use cms_htmlentities on their $addtext parameter.
My question is - Why do this when creating a form, but not when creating an input? Is there a security issue this fixes? I can't imagine so, since the $extra parameter is passed in programmatically, not through user input.
The easy fix is to just pass in 'classname=formclass' ... browsers recognize this, and my css works fine. However, it doesn't validate.
However, I wanted to add a class to my form today. When I pass in the same - 'classname="formclass"' - as the $extra variable, things go crazy. The same issue arises if I pass in some javascript.
I did a little digging, and it seems cms_module_CreateFormStart in module.inc.php runs cms_htmlentities on the $extra parameter, while cms_module_CreateInputText and other functions DO NOT use cms_htmlentities on their $addtext parameter.
My question is - Why do this when creating a form, but not when creating an input? Is there a security issue this fixes? I can't imagine so, since the $extra parameter is passed in programmatically, not through user input.
The easy fix is to just pass in 'classname=formclass' ... browsers recognize this, and my css works fine. However, it doesn't validate.