PHP :: Bug #13472 :: input type=hidden should be in a fieldset if there is one (XHTML and trans sid)

Bug #13472

input type=hidden should be in a fieldset if there is one (XHTML and trans sid)

Submitted:

2001-09-28 04:12 UTC

Modified:

2003-02-05 16:00 UTC

Votes:	32
Avg. Score:	4.6 ± 0.7
Reproduced:	30 of 30 (100.0%)
Same Version:	11 (36.7%)
Same OS:	21 (70.0%)

From:

mat at dioxine dot com

Assigned:

Status:

Closed

Package:

Session related

PHP Version:

4.3.0

OS:

Any

Private report:

CVE-ID:

None

View Developer Edit

[2001-09-28 04:12 UTC] mat at dioxine dot com

When enabling trans-id, php rewrites the forms to add an input type=hidden. the problem is that, in xhtml strict, inputs have to be in a fieldset element. when a fieldset element is already here, php still writes the input type=hidden before the fieldset, causing the page to be invalid html.
reproducing is easy :
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html
	PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<title>PHP Bug with forms and sessions</title>
</head>
<body>
<form action="blabla.php"><fieldset><input type="submit" value="test" /></fieldset></form></body></html>

its valid html, but php will, with transid, make it invalid
by putting this input between the form and the fieldset...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-12-05 10:22 UTC] sander@php.net

Not a bug. Making it a feature request.

[2001-12-05 13:22 UTC] mat at dioxine dot com

hum... not a bug ? PHP is not rewriting html code well, so I'd call it a bug :-)

Anyway... any chance to get it fixed soon ? 
That shouldnt be /that/ hard to do, since you just have to write the input after the first fieldset if there is one, or jst after the form is there isnt any...

[2001-12-07 09:16 UTC] sander@php.net

Reclassified back to session-related because Yasuo persuaded me to call it a bug ;)

[2002-03-03 07:34 UTC] ebola at psychoholics dot org

anyone know how long before this is fixed or if there is any known workaround?

[2002-03-03 08:04 UTC] mat at dioxine dot com

I could not find any suitable workaround :(
I hope this will be fixed soon, cause this is really killing me...

[2002-03-03 08:08 UTC] ebola at psychoholics dot org

Notice .. any blocklevel tag is affected .. not just fieldset and as such any solution to this problem should take this issue into account.

[2002-03-04 05:43 UTC] hholzgra@php.net

as a workaround in php.ini:

  url_rewriter.tags = "...,form=fakeentry"

change it to 

  url_rewriter.tags = "...,form=action"

to have the id added to the action url instead
of being added as a hidden field

gives you legal xhtml, but session id is
always a GET parameter, even with method=POST ...

[2002-03-05 08:07 UTC] mpillard at ens dot uvsq dot fr

Most people cannot access their host's php.ini...
Another workaround ? :)

[2002-03-05 08:16 UTC] hholzgra@php.net

you can modify this using .htaccess if your provider
allows that or change it at runtime usint ini_set()

[2002-03-06 03:05 UTC] yohgaki@php.net

Version update and added comment to summary

[2002-07-19 19:56 UTC] no dot th at nk dot you

Yep - this one is annoying me too.  Could the input not be held in its own div /div tag pair?  That would make it legal.

Cheers, David Bond

[2002-08-01 12:32 UTC] Martin at Skipsey dot com

I've tried using the following:

ini_set("url_rewriter.tags", "a=href,area=href,form=action");

However, now get the session BOTH in the action and in a fake entry.

Any suggestions?

[2002-09-23 21:04 UTC] nielsene at mit dot edu

I don't know if I should submit this as a new bug, or if its part of this one, but the <input> element added should be empty ie <input stuff /> in order to be valid xhtml in addition to the fieldset issue.  Probably should be a php.ini option, similar to being able to change argument_seperator.output from & to &amp;.

[2002-09-25 06:11 UTC] sas@php.net

Fixed in 4.3 CVS. Thanks for your report.

[2002-12-03 23:00 UTC] ebola at psychoholics dot org

to: sas@php.net

is this bug fixed entirely? re:

[3 Mar 8:08am] ebola@psychoholics.org
Notice .. any blocklevel tag is affected .. not just fieldset and as such any solution to this problem should take this issue into account.

[2003-01-05 19:10 UTC] node at nodefall dot de

is this really fixed?????

i have php 4.3 and php add the input tag directly after the form tag!

the only _fix_ i found is a comment  in the php.ini

; to URLs.  If you want XHTML conformity, remove the form entry.

[2003-01-08 17:07 UTC] php at jough dot com

It looks like they fixed the openness of input tags, i.e. - the tags close like <input /> rather than <input> but the hidden input field is still automatically inserted *outside* of a block-level element.

It's a mistake to automatically force the hidden input field on us to begin with.  Is there a way to turn JUST that part of the trans-id off?

This bug is still very much a problem in 4.3

[2003-01-08 19:07 UTC] node at nodefall dot de

so could anybody reopen this bug...
or create a new one?

[2003-01-12 15:38 UTC] nicos@php.net

Opened again.

[2003-02-05 16:00 UTC] sniper@php.net

The adding of the hidden input field can now be turned
off by just removing the 'form=' entry from url_rewriter.tags

[2003-02-05 19:10 UTC] xanthor at xanthor dot tk

And if we can't access php.ini ?

[2003-02-08 17:05 UTC] node at nodefall dot de

I won't disable this feature!!!!!!!!
Where is the Problem to add a <div> ???

Could you please reopen this BUG!
THX

[2003-03-03 19:25 UTC] vmizuba at queens dot org

"removing the 'form=' entry from url_rewriter.tags" does 
not solve the problem if: 1) session.use_cookies is "off" 
(forms need this hidden tag) 2) there is no access to 
php.ini. The solution is a matter of moving the hidden tag 
inserted below a block-level element as it was pointed out 
above. how do we get this bug reopened AND fixed correctly? 
TIA

[2003-03-05 02:36 UTC] node at nodefall dot de

just open a new one... this seems to be the only way

[2003-05-25 14:42 UTC] harrydeboer at home dot nl

PHP writes an extra <input type="hidden" etc /> in my code, which is html 4.01 strict. But in html 4.01 strict there should not be a closing slash, so the code becomes invalid.
Is there any way to solve that without changing php.ini?

[2003-11-14 16:20 UTC] yallis at surr dot no

I don't know if this bug has been fixed, but many of us is still stuck on hosts with "outdated" software. I solved this problem by putting this lines in my .htaccess:
<IfModule mod_php4.c>
  php_value arg_separator.output "&amp;"
  php_value url_rewriter.tags "a=href,area=href,frame=src,input=src"
</IfModule>
..and put the hidden form value where I wanted it with
<input type="hidden" name="PHPSESSID" value="<?php echo session_id(); ?>" />

Seem to work properly and my XHTML1.1 is valid.

[2004-01-30 06:12 UTC] ebola at psychoholics dot org

I am going to test this very soon and will be fairly surprised if it isn't fixed. I'll test on latest 4.x and 5.x. Maybe a patch if i get some free time.

Good night.

[2004-04-18 11:19 UTC] gareth at blueshadow dot org dot uk

How about, finding a form's first <input> tag, and inserting the hidden field just in front of that... 

That way, if the author has put their first input tag in a valid place, PHP won't change that, and if it isn't in a compliant place, again, PHP won't make it any more or less valid...

Just my $0.02

[2004-04-21 05:21 UTC] paulc at 4-life dot net

I'm also getting this problem. Is there a possible fix without having to edit the php.ini file?

[2004-08-26 01:51 UTC] glenjamin at gmail dot com

i've found that removing the form= and using fieldset=fakeentry worked fine for me on php 4.3.6

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC