search

FoxyCart / FoxyCart-Cart-Validation--PHP

Automatically sign (with HMAC SHA-256) all links and forms in a block of HTML
http://wiki.foxycart.com/static/redirect/price_validation
13 stars 9 forks source link

Select option parsing error with HTML5 data attributes, not skipping h: field #11

Closed pixelchutes closed 3 years ago

pixelchutes commented 9 years ago

Given the following example <select>, I am noticing unexpected behavior on the empty option value:

BEFORE SIGNING

<select name="h:my_hidden_field" id="my_hidden_field" class="form-control">
    <option value="" data-index="0">Example (empty)</option>
    <option value="A" data-index="1">Example 1</option>
    <option value="B" data-index="2">Example 2</option>
    <option value="C" data-index="3">Example 3</option>
</select>

AFTER SIGNING

<select name="h:my_hidden_field" id="my_hidden_field" class="form-control">
    <option value="" data-index=||HMAC_HASH_HERE"0">Example (empty)</option>
    <option value="A||HMAC_HASH_HERE" data-index="1">Example 1</option>
    <option value="B||HMAC_HASH_HERE" data-index="2">Example 2</option>
    <option value="C||HMAC_HASH_HERE" data-index="3">Example 3</option>
</select>

Notice the placement of the hmac hash on the "empty" example.

Further, since this is for a hidden custom field, shouldn't the signing be skipping hidden fields altogether?

ghost commented 3 years ago

I made a PR to fix the signing of empty option values: https://github.com/FoxyCart/FoxyCart-Cart-Validation--PHP/pull/17