php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #13472 input type=hidden should be in a fieldset if there is one (XHTML and trans sid)
Submitted: 2001-09-28 04:12 UTC Modified: 2003-02-05 16:00 UTC
Votes:32
Avg. Score:4.6 ± 0.7
Reproduced:30 of 30 (100.0%)
Same Version:11 (36.7%)
Same OS:21 (70.0%)
From: mat at dioxine dot com Assigned:
Status: Closed Package: Session related
PHP Version: 4.3.0 OS: Any
Private report: No CVE-ID:
 [2001-09-28 04:12 UTC] mat at dioxine dot com
When enabling trans-id, php rewrites the forms to add an input type=hidden. the problem is that, in xhtml strict, inputs have to be in a fieldset element. when a fieldset element is already here, php still writes the input type=hidden before the fieldset, causing the page to be invalid html.
reproducing is easy :
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html
	PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<title>PHP Bug with forms and sessions</title>
</head>
<body>
<form action="blabla.php"><fieldset><input type="submit" value="test" /></fieldset></form></body></html>

its valid html, but php will, with transid, make it invalid
by putting this input between the form and the fieldset...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-05 10:22 UTC] sander@php.net
Not a bug. Making it a feature request.
 [2001-12-05 13:22 UTC] mat at dioxine dot com
hum... not a bug ? PHP is not rewriting html code well, so I'd call it a bug :-)

Anyway... any chance to get it fixed soon ? 
That shouldnt be /that/ hard to do, since you just have to write the input after the first fieldset if there is one, or jst after the form is there isnt any...
 [2001-12-07 09:16 UTC] sander@php.net
Reclassified back to session-related because Yasuo persuaded me to call it a bug ;)
 [2002-03-03 07:34 UTC] ebola at psychoholics dot org
anyone know how long before this is fixed or if there is any known workaround?
 [2002-03-03 08:04 UTC] mat at dioxine dot com
I could not find any suitable workaround :(
I hope this will be fixed soon, cause this is really killing me...
 [2002-03-03 08:08 UTC] ebola at psychoholics dot org
Notice .. any blocklevel tag is affected .. not just fieldset and as such any solution to this problem should take this issue into account.
 [2002-03-04 05:43 UTC] hholzgra@php.net
as a workaround in php.ini:

  url_rewriter.tags = "...,form=fakeentry"

change it to 

  url_rewriter.tags = "...,form=action"

to have the id added to the action url instead
of being added as a hidden field

gives you legal xhtml, but session id is
always a GET parameter, even with method=POST ...

 [2002-03-05 08:07 UTC] mpillard at ens dot uvsq dot fr
Most people cannot access their host's php.ini...
Another workaround ? :)
 [2002-03-05 08:16 UTC] hholzgra@php.net
you can modify this using .htaccess if your provider
allows that or change it at runtime usint ini_set()
 [2002-03-06 03:05 UTC] yohgaki@php.net
Version update and added comment to summary
 [2002-07-19 19:56 UTC] no dot th at nk dot you
Yep - this one is annoying me too.  Could the input not be held in its own div /div tag pair?  That would make it legal.

Cheers, David Bond
 [2002-08-01 12:32 UTC] Martin at Skipsey dot com
I've tried using the following:

ini_set("url_rewriter.tags", "a=href,area=href,form=action");

However, now get the session BOTH in the action and in a fake entry.

Any suggestions?
 [2002-09-23 21:04 UTC] nielsene at mit dot edu
I don't know if I should submit this as a new bug, or if its part of this one, but the <input> element added should be empty ie <input stuff /> in order to be valid xhtml in addition to the fieldset issue.  Probably should be a php.ini option, similar to being able to change argument_seperator.output from & to &amp;.
 [2002-09-25 06:11 UTC] sas@php.net
Fixed in 4.3 CVS. Thanks for your report.
 [2002-12-03 23:00 UTC] ebola at psychoholics dot org
to: sas@php.net

is this bug fixed entirely? re:

[3 Mar 8:08am] ebola@psychoholics.org
Notice .. any blocklevel tag is affected .. not just fieldset and as such any solution to this problem should take this issue into account.
 [2003-01-05 19:10 UTC] node at nodefall dot de
is this really fixed?????

i have php 4.3 and php add the input tag directly after the form tag!

the only _fix_ i found is a comment  in the php.ini

; to URLs.  If you want XHTML conformity, remove the form entry.
 [2003-01-08 17:07 UTC] php at jough dot com
It looks like they fixed the openness of input tags, i.e. - the tags close like <input /> rather than <input> but the hidden input field is still automatically inserted *outside* of a block-level element.

It's a mistake to automatically force the hidden input field on us to begin with.  Is there a way to turn JUST that part of the trans-id off?

This bug is still very much a problem in 4.3
 [2003-01-08 19:07 UTC] node at nodefall dot de
so could anybody reopen this bug...
or create a new one?
 [2003-01-12 15:38 UTC] nicos@php.net
Opened again.
 [2003-02-05 16:00 UTC] sniper@php.net
The adding of the hidden input field can now be turned
off by just removing the 'form=' entry from url_rewriter.tags


 [2003-02-05 19:10 UTC] xanthor at xanthor dot tk
And if we can't access php.ini ?
 [2003-02-08 17:05 UTC] node at nodefall dot de
I won't disable this feature!!!!!!!!
Where is the Problem to add a <div> ???

Could you please reopen this BUG!
THX
 [2003-03-03 19:25 UTC] vmizuba at queens dot org
"removing the 'form=' entry from url_rewriter.tags" does 
not solve the problem if: 1) session.use_cookies is "off" 
(forms need this hidden tag) 2) there is no access to 
php.ini. The solution is a matter of moving the hidden tag 
inserted below a block-level element as it was pointed out 
above. how do we get this bug reopened AND fixed correctly? 
TIA
 [2003-03-05 02:36 UTC] node at nodefall dot de
just open a new one... this seems to be the only way
 [2003-05-25 14:42 UTC] harrydeboer at home dot nl
PHP writes an extra <input type="hidden" etc /> in my code, which is html 4.01 strict. But in html 4.01 strict there should not be a closing slash, so the code becomes invalid.
Is there any way to solve that without changing php.ini?
 [2003-11-14 16:20 UTC] yallis at surr dot no
I don't know if this bug has been fixed, but many of us is still stuck on hosts with "outdated" software. I solved this problem by putting this lines in my .htaccess:
<IfModule mod_php4.c>
  php_value arg_separator.output "&amp;"
  php_value url_rewriter.tags "a=href,area=href,frame=src,input=src"
</IfModule>
..and put the hidden form value where I wanted it with
<input type="hidden" name="PHPSESSID" value="<?php echo session_id(); ?>" />

Seem to work properly and my XHTML1.1 is valid.
 [2004-01-30 06:12 UTC] ebola at psychoholics dot org
I am going to test this very soon and will be fairly surprised if it isn't fixed. I'll test on latest 4.x and 5.x. Maybe a patch if i get some free time.

Good night.
 [2004-04-18 11:19 UTC] gareth at blueshadow dot org dot uk
How about, finding a form's first <input> tag, and inserting the hidden field just in front of that... 

That way, if the author has put their first input tag in a valid place, PHP won't change that, and if it isn't in a compliant place, again, PHP won't make it any more or less valid...

Just my $0.02
 [2004-04-21 05:21 UTC] paulc at 4-life dot net
I'm also getting this problem. Is there a possible fix without having to edit the php.ini file?
 [2004-08-26 01:51 UTC] glenjamin at gmail dot com
i've found that removing the form= and using fieldset=fakeentry worked fine for me on php 4.3.6
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 20:01:57 2014 UTC