Home » Theme developer's guide (v5 and earlier) » Updating your themes

Converting 4.7.x themes to 4.7.4

Theming images

Changes to filter_xss_bad_protocol cause a cryptic bug in theme_image to surface. If your theme overrides the function theme_image and the override contains theme_image code, be sure to update the way the image url is generated.

See theme_image in includes/theme.inc for example code.

Theming forms

Drupal 4.7.4 saw the addition of a new default form field; form_token, to protect against cross site request forgeries. The token ensures that forms submitted to the site are actually requested first.

There are a few potential issues surrounding the form_token.

Relying on specific, known form fields

If you do not output the form_token, the form will fail validation.

Consider the following example form:

<?php
function your_form() {
  $form['field'] = array(
    '#type' => 'textfield',
    '#title' => t('Example'),
    '#default_value' => 'text',
  );
  $form['submit'] = array(
    '#type' => 'submit',
    '#value' => t('Submit'),
  );
  return drupal_get_form('your_form_id', $form);
}
?>

Suppose you write a theme function for this form:

<?php
// Will cause form validation to fail.
function theme_your_form_id($form) {
  // Output fields in a specific order / with markup:
  $output = form_render($form['field'])
  $output .= form_render($form['form_id']);
  $output .= form_render($form['submit']);
  return $output;
}
?>

As the form_token will not be included in the HTML form the user receives, the token value won't be posted back and the form will fail validation.

The solution is easy; be sure to output the form_token field by adapting your custom theme function.

<?php
function theme_your_form_id($form) {
  // Output fields in a specific order / with markup:
  $output = form_render($form['field'])
  $output .= form_render($form['form_id']);
  $output .= form_render($form['submit']);

  // form_token necessary to pass validation
  $output .= form_render($form['form_token']);
  return $output;
}

// Or better

function theme_your_form_id($form) {
  // Output fields in a specific order / with markup:
  $output = form_render($form['field'])
  $output .= form_render($form['submit']);
 
  // Render the remainder of the form, including hidden fields.
  $output .= form_render($form);
  return $output;
}
?>

‹ Converting 4.7.x themes to 5.xupConverting 4.6.x themes to 4.6.10 ›
» Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.