By including the URL in generated hash for secured forms we prevent
a class of abuse where a user uses one secured form to post into a
controller action the form was not originally intended for. These cross
action requests could potentially violate developer's mental model of
how SecurityComponent works and produce unexpected/undesirable outcomes.
Thanks to Kurita Takashi for pointing this issue out, and suggesting
a fix.
If inputs are placed outside of the form elements the form attribute
needs to be set on the hidden inputs. Without this attribute the empty
state does not submit correctly.
Fixes#3053
In general fixed the issue where enabling SECURE_SKIP for a field
skipped "required" attribute check altogether. Instead now "required"
is set to false for hidden fields by default.
Radio elements would contain ModelModelFieldValue instead of
ModelFieldValue like they should. This was caused by the fix for #3936
and lack of tests for create() + radio().
Fixes#4071
I believe I found a fix for this issue. I am here at #CakeFest2013 and during the #HourOfContribution I ran across this issue.
Currently in CakePHP 2.4 on Line 1522 - 1524 you can see the following code:
@@@ php
if ($label) {
$optTitle = $this->Html->useTag('label', $tagName, '', $optTitle);
}
@@@
The $label variable here the is the $label array passed into the input method in Sethathi example above. The problem is that the $label array is completely ignored and instead a label is created using the HtmlHelper->useTag method.
I have what I believe is a fix for this issue but it hasn't been extensively tested. I tested against Sethathi example in the ticket and it produced the correct result.
The fix is simple. We detect if an array is passed in and then send it to the FormHelper label method instead of the HtmlHelper useTag method. The FormHelper label methods accepts an options array, so we pass in the $label array.
This will probably need to be fixed for checkbox also
"ask":https://cakephp.lighthouseapp.com/users/235987 helped me with this fix
Replaced use of deprecated method getVar by get.
Improved DocBocks, mostly data types
Removed deprecated DocBock tag because it's an invalid use of such. This makes the method look like it was deprecated but in reality it's only one of the possible values of one of its parameters.
