php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #13472 input type=hidden should be in a fieldset if there is one (XHTML and trans sid)
Submitted: 2001-09-28 04:12 UTC Modified: 2003-02-05 16:00 UTC
Votes:32
Avg. Score:4.6 ± 0.7
Reproduced:30 of 30 (100.0%)
Same Version:11 (36.7%)
Same OS:21 (70.0%)
From: mat at dioxine dot com Assigned:
Status: Closed Package: Session related
PHP Version: 4.3.0 OS: Any
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mat at dioxine dot com
New email:
PHP Version: OS:

 

 [2001-09-28 04:12 UTC] mat at dioxine dot com 
When enabling trans-id, php rewrites the forms to add an input type=hidden. the problem is that, in xhtml strict, inputs have to be in a fieldset element. when a fieldset element is already here, php still writes the input type=hidden before the fieldset, causing the page to be invalid html.
reproducing is easy :
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html
	PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<title>PHP Bug with forms and sessions</title>
</head>
<body>
<form action="blabla.php"><fieldset><input type="submit" value="test" /></fieldset></form></body></html>

its valid html, but php will, with transid, make it invalid
by putting this input between the form and the fieldset...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-05 10:22 UTC] sander@php.net 
Not a bug. Making it a feature request.
 [2001-12-05 13:22 UTC] mat at dioxine dot com 
hum... not a bug ? PHP is not rewriting html code well, so I'd call it a bug :-)

Anyway... any chance to get it fixed soon ? 
That shouldnt be /that/ hard to do, since you just have to write the input after the first fieldset if there is one, or jst after the form is there isnt any...
 [2001-12-07 09:16 UTC] sander@php.net 
Reclassified back to session-related because Yasuo persuaded me to call it a bug ;)
 [2002-03-03 07:34 UTC] ebola at psychoholics dot org 
anyone know how long before this is fixed or if there is any known workaround?
 [2002-03-03 08:04 UTC] mat at dioxine dot com 
I could not find any suitable workaround :(
I hope this will be fixed soon, cause this is really killing me...
 [2002-03-03 08:08 UTC] ebola at psychoholics dot org 
Notice .. any blocklevel tag is affected .. not just fieldset and as such any solution to this problem should take this issue into account.
 [2002-03-04 05:43 UTC] hholzgra@php.net 
as a workaround in php.ini:

  url_rewriter.tags = "...,form=fakeentry"

change it to 

  url_rewriter.tags = "...,form=action"

to have the id added to the action url instead
of being added as a hidden field

gives you legal xhtml, but session id is
always a GET parameter, even with method=POST ...
 [2002-03-05 08:07 UTC] mpillard at ens dot uvsq dot fr 
Most people cannot access their host's php.ini...
Another workaround ? :)
 [2002-03-05 08:16 UTC] hholzgra@php.net 
you can modify this using .htaccess if your provider
allows that or change it at runtime usint ini_set()
 [2002-03-06 03:05 UTC] yohgaki@php.net 
Version update and added comment to summary
 [2002-07-19 19:56 UTC] no dot th at nk dot you 
Yep - this one is annoying me too.  Could the input not be held in its own div /div tag pair?  That would make it legal.

Cheers, David Bond
 [2002-08-01 12:32 UTC] Martin at Skipsey dot com 
I've tried using the following:

ini_set("url_rewriter.tags", "a=href,area=href,form=action");

However, now get the session BOTH in the action and in a fake entry.

Any suggestions?
 [2002-09-23 21:04 UTC] nielsene at mit dot edu 
I don't know if I should submit this as a new bug, or if its part of this one, but the <input> element added should be empty ie <input stuff /> in order to be valid xhtml in addition to the fieldset issue.  Probably should be a php.ini option, similar to being able to change argument_seperator.output from & to &amp;.
 [2002-09-25 06:11 UTC] sas@php.net 
Fixed in 4.3 CVS. Thanks for your report.
 [2002-12-03 23:00 UTC] ebola at psychoholics dot org 
to: sas@php.net

is this bug fixed entirely? re:

[3 Mar 8:08am] ebola@psychoholics.org
Notice .. any blocklevel tag is affected .. not just fieldset and as such any solution to this problem should take this issue into account.
 [2003-01-05 19:10 UTC] node at nodefall dot de 
is this really fixed?????

i have php 4.3 and php add the input tag directly after the form tag!

the only _fix_ i found is a comment  in the php.ini

; to URLs.  If you want XHTML conformity, remove the form entry.
 [2003-01-08 17:07 UTC] php at jough dot com 
It looks like they fixed the openness of input tags, i.e. - the tags close like <input /> rather than <input> but the hidden input field is still automatically inserted *outside* of a block-level element.

It's a mistake to automatically force the hidden input field on us to begin with.  Is there a way to turn JUST that part of the trans-id off?

This bug is still very much a problem in 4.3
 [2003-01-08 19:07 UTC] node at nodefall dot de 
so could anybody reopen this bug...
or create a new one?
 [2003-01-12 15:38 UTC] nicos@php.net 
Opened again.
 [2003-02-05 16:00 UTC] sniper@php.net 
The adding of the hidden input field can now be turned
off by just removing the 'form=' entry from url_rewriter.tags
 [2003-02-05 19:10 UTC] xanthor at xanthor dot tk 
And if we can't access php.ini ?
 [2003-02-08 17:05 UTC] node at nodefall dot de 
I won't disable this feature!!!!!!!!
Where is the Problem to add a <div> ???

Could you please reopen this BUG!
THX
 [2003-03-03 19:25 UTC] vmizuba at queens dot org 
"removing the 'form=' entry from url_rewriter.tags" does 
not solve the problem if: 1) session.use_cookies is "off" 
(forms need this hidden tag) 2) there is no access to 
php.ini. The solution is a matter of moving the hidden tag 
inserted below a block-level element as it was pointed out 
above. how do we get this bug reopened AND fixed correctly? 
TIA
 [2003-03-05 02:36 UTC] node at nodefall dot de 
just open a new one... this seems to be the only way
 [2003-05-25 14:42 UTC] harrydeboer at home dot nl 
PHP writes an extra <input type="hidden" etc /> in my code, which is html 4.01 strict. But in html 4.01 strict there should not be a closing slash, so the code becomes invalid.
Is there any way to solve that without changing php.ini?
 [2003-11-14 16:20 UTC] yallis at surr dot no 
I don't know if this bug has been fixed, but many of us is still stuck on hosts with "outdated" software. I solved this problem by putting this lines in my .htaccess:
<IfModule mod_php4.c>
  php_value arg_separator.output "&amp;"
  php_value url_rewriter.tags "a=href,area=href,frame=src,input=src"
</IfModule>
..and put the hidden form value where I wanted it with
<input type="hidden" name="PHPSESSID" value="<?php echo session_id(); ?>" />

Seem to work properly and my XHTML1.1 is valid.
 [2004-01-30 06:12 UTC] ebola at psychoholics dot org 
I am going to test this very soon and will be fairly surprised if it isn't fixed. I'll test on latest 4.x and 5.x. Maybe a patch if i get some free time.

Good night.
 [2004-04-18 11:19 UTC] gareth at blueshadow dot org dot uk 
How about, finding a form's first <input> tag, and inserting the hidden field just in front of that... 

That way, if the author has put their first input tag in a valid place, PHP won't change that, and if it isn't in a compliant place, again, PHP won't make it any more or less valid...

Just my $0.02
 [2004-04-21 05:21 UTC] paulc at 4-life dot net 
I'm also getting this problem. Is there a possible fix without having to edit the php.ini file?
 [2004-08-26 01:51 UTC] glenjamin at gmail dot com 
i've found that removing the form= and using fieldset=fakeentry worked fine for me on php 4.3.6
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Oct 26 05:00:01 2025 UTC