Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Now that $edit is passed to #process you can always add $edit to #options and also the new form caching means if some callback sends options to JS via AHAH calls, it can also cache the options. Removing this flag just means that there is no sanctioned way to do this as there should not be. I was always at unease because of the existence of this attribute.
Comment | File | Size | Author |
---|---|---|---|
down_with_dangerous_skip_check.patch | 958 bytes | chx | |
Comments
Comment #1
moshe weitzman CreditAttribution: moshe weitzman commentedThe #process workaround handles this without a special case.
Comment #2
Gábor HojtsyLet's start from what was this used for "legally". I know it was used in some contrib modules "illegaly" and caused security problems. So what legal code would we brake by removing this. Where is the "update docs" on what to do if this gets removed? (We really need update docs if this gets committed).
Comment #3
yched CreditAttribution: yched commentedI was one of the ones who advocated for that flag.
It was for 4.7, and back then I needed it to AHAH-fill choices in a select based on the entry in a textfield, with too many (1000's, taken from db) possible values to make them all valid.
This use case is now supported by D6 FAPI/AHAH features, right ?
Comment #4
chx CreditAttribution: chx commentedyched, I already answered this: if some callback sends options to JS via AHAH calls, it can also cache the options in cache_form.
Comment #5
Gábor HojtsyThere were two sides to that use case, right? One is that the options where handled with AHAH, the other is that there were thousands of options. For caching would cache the thousands of options in the regular form structure right? I guess that was one thing people tried to avoid with this flag to save some performance.
Note that I am not advocating keeping this security hole possibility here, but I'd not commit the patch without understanding the consequences.
Comment #6
moshe weitzman CreditAttribution: moshe weitzman commented@In that use case, the developer can use #process to inject just the options that were selected into the #options array. He does so by reading in from $edit, which is available to #process functions.
Comment #7
Gábor HojtsyUnderstood, so committed. Please document this in the update docs. Leaving it code needs work for this reason.
Comment #8
moshe weitzman CreditAttribution: moshe weitzman commentedadded to update doc.
Comment #9
(not verified) CreditAttribution: commentedComment #10
pelicani CreditAttribution: pelicani commentedit would have been nicer if y'all provide a little more information on how to subvert this filter hook.
What is published in this thread, and anywhere else i've looked, isn't enough for the casual form api hacker.
>frustrated<
Comment #11
Harry SlaughterThe 'update doc' (http://drupal.org/node/114774#choice_check) points to this issue as a source of instruction on how to work around the removal of #DANGEROUS_SKIP_CHECK, yet this post provides no code examples on how to do it.
I have an awkward use case where I need to set CCK optionwidgets_select options dynamically. And after several hours trying different things, I cannot avoid the dreaded 'An illegal choice has been detected'.
Could someone provide a concrete, working example of code that alters the default form options safely?
Comment #12
ss81 CreditAttribution: ss81 commentedI don't know is my code safely or not, but I hope it can help. My example is based on Ubercart address fields, so some functions can be found in Udercart module.
"Country" field:
Function, assigned to "ss81/zone_select" path:
Really appreciate to author of http://drupal.org/project/weather for examples of code.
Comment #13
chx CreditAttribution: chx commentedThe oriignal post clearly says what can be done and also http://drupal.org/node/331941 is the proper AHAH way.
Comment #14
ss81 CreditAttribution: ss81 commentedI think such posts must be with code examples :)
Comment #16
raffuk CreditAttribution: raffuk commentedWhat if I don't wanna use AHAH? I'm using jquery only to add options to the select. Is there any *simple workaround*?
Comment #17
Ivan Zugec CreditAttribution: Ivan Zugec commentedCheck out this post.
http://drupal.org/node/303576
Comment #18
jhchnc CreditAttribution: jhchnc commentedDear Drupal,
I don't want to learn your crappy AHAH to rewrite the contents of a $%&-ing select box. Especially when I'm allowing for the select box to _become_ a textfield! Um, they can post whatever they %&*^-ing want!
Ok, I'm feeling better now.
SOLUTION: Initiate your select as a textfield. On document load, javascript it into a select. Boom. This is fine because you need to call it via script anyway... no harm, no foul. Plus, if script is turned off, a textfield is much more flexible for the user.
I win!