While including the entire protocol, host, port, path and query would be
even better in theory, it gets complicated when proxies and load
balancers are involved.
Fixes#3442
By including the URL in generated hash for secured forms we prevent
a class of abuse where a user uses one secured form to post into a
controller action the form was not originally intended for. These cross
action requests could potentially violate developer's mental model of
how SecurityComponent works and produce unexpected/undesirable outcomes.
Thanks to Kurita Takashi for pointing this issue out, and suggesting
a fix.
For convenience I think it might be valuable to allow addCrumb (and possibly other similar functions) to return $this to permit chained calls such as this:
$this->Html->addCrumb('Admin', '/admin')->addCrumb('Blogs', '/admin/users')->addCrumb('Add');
as opposed to the considerably more verbose version that needs to be used now:
$this->Html->addCrumb('Admin', '/admin');
$this->Html->addCrumb('Blogs', '/admin/users');
$this->Html->addCrumb('Add');
I'm not sure if this violates some API conventions for helpers but it does seem rather more convenient to work with to me.
If inputs are placed outside of the form elements the form attribute
needs to be set on the hidden inputs. Without this attribute the empty
state does not submit correctly.
Fixes#3053
For convenience I think it might be valuable to allow addCrumb (and possibly other similar functions) to return $this to permit chained calls such as this:
$this->Html->addCrumb('Admin', '/admin')->addCrumb('Blogs', '/admin/users')->addCrumb('Add');
as opposed to the considerably more verbose version that needs to be used now:
$this->Html->addCrumb('Admin', '/admin');
$this->Html->addCrumb('Blogs', '/admin/users');
$this->Html->addCrumb('Add');
I'm not sure if this violates some API conventions for helpers but it does seem rather more convenient to work with to me.
improved tests for testing against additional attributes for Form::secure()
improved tests for testing against additional attributes for Form::end()
removed array cast, fixed test
fixed docblock format
format
Fixed a bug, this won't work as some forms are just empty
