Passed
Push — master ( c0a3a7...3b84a4 )
by Jeroen
58:51
created

views/default/input/form.php (1 issue)

Checks if an incompatible expression is used in output or concatination.

Bug Minor
1
<?php
2
/**
3
 * Create a form for data submission.
4
 * Use this view for forms as it provides protection against CSRF attacks.
5
 *
6
 * @package Elgg
7
 * @subpackage Core
8
 *
9
 * @uses $vars['body'] The body of the form (made up of other input/xxx views and html
10
 * @uses $vars['action'] The action URL of the form
11
 * @uses $vars['action_name'] The name of the action (for targeting particular forms while extending)
12
 * @uses $vars['method'] The submit method: post (default) or get
13
 * @uses $vars['enctype'] Set to 'multipart/form-data' if uploading a file
14
 * @uses $vars['disable_security'] turn off CSRF security by setting to true
15
 * @uses $vars['class'] Additional class for the form
16
 * @uses $vars['ignore_empty_body'] Boolean (default true) to determine if an empty body should return continue
17
 */
18
19
$defaults = [
20
	'method' => 'post',
21
	'disable_security' => false,
22
];
23
24
$vars = array_merge($defaults, $vars);
25
26
$vars['class'] = elgg_extract_class($vars, 'elgg-form');
27
$vars['action'] = elgg_normalize_url($vars['action']);
28
$vars['method'] = strtolower($vars['method']);
29
30
$ignore_empty_body = (bool) elgg_extract('ignore_empty_body', $vars, true);
31
unset($vars['ignore_empty_body']);
32
33
$body = $vars['body'];
34
unset($vars['body']);
35
36
if (!$ignore_empty_body && empty($body)) {
37
	return;
38
}
39
40
// Generate a security header
41
if (!$vars['disable_security']) {
42
	$body = elgg_view('input/securitytoken') . $body;
0 ignored issues
show
Are you sure $body of type mixed|string|string[] can be used in concatenation? ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

42
	$body = elgg_view('input/securitytoken') . /** @scrutinizer ignore-type */ $body;
Loading history...
43
}
44
unset($vars['disable_security']);
45
unset($vars['action_name']);
46
47
echo elgg_format_element('form', $vars, "<fieldset>$body</fieldset>");
48