ZF-9412: 1. Accessing a value is a bug or a feature? 2. escapeFilter option is a bug or a feature?


This is a test code: <?php require_once('Zend/Filter/Input.php'); $options = array( 'escapeFilter' => array('StringTrim'), 'breakChainOnFailure' => true, 'presence' => 'required' ); $filters = array('account' => 'StringToUpper'); $validators = array('account' => 'Alpha'); $data['account'] = 'sdfgsdgGRDW'; $input = new Zend_Filter_Input($filters, $validators, $data, $options); if ($input->isValid()) { var_dump('Hooray'); for($i = 0; $i < 5; $i++){ var_dump($input->account); } } else { var_dump('Not valid'); } ?>

  1. Just did run the Zend_Filter_Input througt the Xdebug and found that accessing the value($input->account) generate a getEscaped() functionality by default which was done when you access the isValid(). My opinion it should use the "getUnescaped()" by default if you used the isValid().

  2. if a value of $data['account'] is ' sdfgsdgGRDW', has the white spaces, it returns the 'Not valid' result. It does not care that my 'escapeFilter' is the 'StringTrim'. Should it go through the Filters first and then Validations?



to 1.) When calling __get (also explicit) getEscaped() is correct. For security reasons Zend_Filter_Input will always return a value which conforms the security.

to 2.) According to the manual the espaceFilters are processed AFTER validation (different than the other filters). Returning a FALSE is correct within the given examples.

Closing as non-issue

to 2.) Then the Zend_Filter_Input (espaceFilters(StringTriom) documentation is wrong, isn't it? Cause it will never work. This code is basically from documentation:

<?php require_once('Zend/Filter/Input.php'); $options = array('escapeFilter' => array('StringTrim')); $filters = array('account' => 'StringToUpper'); $validators = array('account' => 'Alpha'); $data['account'] = ' sdfgsdgGRDW '; $input = new Zend_Filter_Input($filters, $validators, $data, $options); if ($input->isValid()) { var_dump('Valid');} else { var_dump('Not valid'); } ?>

Why should the example not work? The examples within manual are very clear.

And directly below the example you are referring to you can read: {quote} Filters to escape output should be run in this way, to make sure they run after validation. Other filters you declare in the array of filter rules are applied to input data before data are validated. If escaping filters were run before validation, the process of validation would be more complex, and it would be harder to provide both escaped and unescaped versions of the data. So it is recommended to declare filters to escape output using setDefaultEscapeFilter(), not in the $filters array. {quote}

Sorry, somehow lost this part.