ZF-12165: Warning: htmlspecialchars() expects parameter 1 to be string, array given in \Zend\View\Abstract.php on line 905


If a user submits an array instead of an expected string for "non-array" form fields, this warning is generated.

Simple test:

$form->setMethod('get'); $q = new Zend_Form_Element_Text('q'); $form->addElement($q);

Submit the form. Edit the address bar to be 'q[]=' instead of 'q=' and the Zend View will emit the warning.


I'd argue this is expected and reasonable behavior. The error occurs when you try and pass an invalid value to be rendered; as such, you should correct your form.

I think you're looking at it from a different view than I am. In the example the form element does expect a string, and the developer should only expecting a string. However a "malicious" user can quite simply edit the URL to include the [].

http://host/form.php?q=hello vs http://host/form.php?q[]=hello.

Then that breaks the underlying Zend escaping mechanism. This shouldnt require developer intervention to fix that. We can do all the filtering/validation on the zend form end, but once the variable gets to the zend view end it will break.

Warning: htmlspecialchars() expects parameter 1 to be string, array given in \Zend\View\Abstract.php on line 905 is getting when I am not navigating to another page.(I am dispalying that form at html page).

Code: $this->setMethod('post'); $this->setAction('/index/save'); $first=new Zend_Form_Element_Text("first"); $first->setLabel("First Name"); $first->setAttrib('id','first'); $first->setAttrib('name','first'); $first->setAttrib('class','required'); $last=new Zend_Form_Element_Text("last"); $last->setAttrib('id','last'); $last->setLabel("Last Name"); $last->setAttrib('class','required'); $email=new Zend_Form_Element_Text("email"); $email->setAttrib('id','email'); $email->setAttrib('name','email'); $email->setLabel('UserId : '); $password = new Zend_Form_Element_Password("password"); $password ->setLabel('Password:'); $password ->setAttribs(array('id'=>'password', 'name'=>'password'));

    $submit=new Zend_Form_Element_Submit('submit');

In the above code, I am getting that warning only for the text element 'email'.


I can not reproduce your problem. I have tested your form in a standard application environment and as a stand alone form. Please test the form outside your application.

You do not need {{setMethod('post')}}, {{setAttrib('id', …)}} or {{setAttrib('name', …)}}:


$first = new Zend_Form_Element_Text('first');
$first->setLabel('First Name');
$first->setAttrib('class', 'required');

$last = new Zend_Form_Element_Text('last');
$last->setLabel('Last Name');
$last->setAttrib('class', 'required');

$email = new Zend_Form_Element_Text('email');
$email->setLabel('UserId : ');

$password = new Zend_Form_Element_Password('password');

$submit = new Zend_Form_Element_Submit('submit');

$this->addElements(array($email, $password, $first, $last, $submit));

You will get the same HTML output.