In the case were the key of the edit array does not exist in the form array, a new element with that name will be created. e.g.

http://www.example.com/node/add/story?edit[rubbish]=hello

will add an element 'rubbish' to the form.

While this element doesn't actually appear on the page as it hasn't any attributes, I don't think it should happen. The attached patch fixes this.

It also checks that the array keys in $_GET['edit'] are child_elements - it seems like it might be a wise thing to do, though may not be strictly necessary.

CommentFileSizeAuthor
no-element-creation.patch.txt1.22 KBegfrith

Comments

eafarris’s picture

Status: Needs review » Fixed

Committed to HEAD. Thanks!

Anonymous’s picture

Status: Fixed » Closed (fixed)