ZF-12165: Warning: htmlspecialchars() expects parameter 1 to be string, array given in \Zend\View\Abstract.php on line 905

Description

If a user submits an array instead of an expected string for "non-array" form fields, this warning is generated.

Simple test:

$form->setMethod('get'); $q = new Zend_Form_Element_Text('q'); $form->addElement($q);

Submit the form. Edit the address bar to be 'q[]=' instead of 'q=' and the Zend View will emit the warning.

Comments

I'd argue this is expected and reasonable behavior. The error occurs when you try and pass an invalid value to be rendered; as such, you should correct your form.

I think you're looking at it from a different view than I am. In the example the form element does expect a string, and the developer should only expecting a string. However a "malicious" user can quite simply edit the URL to include the [].

http://host/form.php?q=hello vs http://host/form.php?q[]=hello.

Then that breaks the underlying Zend escaping mechanism. This shouldnt require developer intervention to fix that. We can do all the filtering/validation on the zend form end, but once the variable gets to the zend view end it will break.

Warning: htmlspecialchars() expects parameter 1 to be string, array given in \Zend\View\Abstract.php on line 905 is getting when I am not navigating to another page.(I am dispalying that form at html page).

Code: $this->setMethod('post'); $this->setAction('/index/save'); $first=new Zend_Form_Element_Text("first"); $first->setLabel("First Name"); $first->setAttrib('id','first'); $first->setAttrib('name','first'); $first->setAttrib('class','required'); $last=new Zend_Form_Element_Text("last"); $last->setAttrib('id','last'); $last->setLabel("Last Name"); $last->setAttrib('class','required'); $email=new Zend_Form_Element_Text("email"); $email->setAttrib('id','email'); $email->setAttrib('name','email'); $email->setLabel('UserId : '); $password = new Zend_Form_Element_Password("password"); $password ->setLabel('Password:'); $password ->setAttribs(array('id'=>'password', 'name'=>'password'));

    $submit=new Zend_Form_Element_Submit('submit');
    $submit->setAttrib('name','register');
    $submit->setAttrib('id','register');
    $submit->setValue('Submit');
    $this->addElements(array($email,$password,$first,$last,$submit));

In the above code, I am getting that warning only for the text element 'email'.

@Vatturi

I can not reproduce your problem. I have tested your form in a standard application environment and as a stand alone form. Please test the form outside your application.

You do not need {{setMethod('post')}}, {{setAttrib('id', …)}} or {{setAttrib('name', …)}}:


$this->setAction('/index/save');

$first = new Zend_Form_Element_Text('first');
$first->setLabel('First Name');
$first->setAttrib('class', 'required');

$last = new Zend_Form_Element_Text('last');
$last->setLabel('Last Name');
$last->setAttrib('class', 'required');

$email = new Zend_Form_Element_Text('email');
$email->setLabel('UserId : ');

$password = new Zend_Form_Element_Password('password');
$password->setLabel('Password:');

$submit = new Zend_Form_Element_Submit('submit');
$submit->setLabel('Submit');

$this->addElements(array($email, $password, $first, $last, $submit));

You will get the same HTML output.