Contrib.social

#date_year_range is not validated server-side

Open on Drupal.org โ†’
Created on 16 March 2022, about 3 years ago
Updated 29 January 2023, about 2 years ago

Problem/Motivation

When using #date_year_range on date form element, it adds min and max HTML attributes that prevents the browser from accepting a date outside this range.
However, if the browser does not support these attributes, the range is never checked server-side.

Steps to reproduce

Create a form with a date element then alter it:

/**
 * Implements hook_field_widget_WIDGET_TYPE_form_alter().
 */
function foo_field_widget_datetime_default_form_alter(array &$element) {
  $element['value']['#date_year_range'] = '1850:3000';
}

Then try to submit a date before 1850 with a browser that does not support the min attribute on date inputs (or with curl).

Proposed resolution

DateTime::validateDatetime() should check if the date is in the range.

๐Ÿ› Bug report
Status

Needs work

Version

9.5

Component
Formย  โ†’

Last updated about 18 hours ago

Created by

๐Ÿ‡ซ๐Ÿ‡ทFrance prudloff Lille

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Merge request !1976Issue #3269890: #date_year_range is not validated server-side โ†’ (Open) created by prudloff
  • Comment about 2 years ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request โ†’ as a guide.

    The MR will need to be updated to 9.5.x or 10.1.x

    also will require a test case to show the issue.

  • Pipeline finished with Failed
    about 2 months ago
    Total: 206s
    #443483
  • Pipeline finished with Failed
    about 2 months ago
    Total: 439s
    #443510
  • Pipeline finished with Success
    about 2 months ago
    Total: 346s
    #443514
  • Status changed to Needs review about 2 months ago
  • Comment about 2 months ago โ†’
    ๐Ÿ‡ซ๐Ÿ‡ทFrance prudloff Lille

    I rebased and added a test.

    Looking at the code, the logic may be located better in a place where it makes $date->hasErrors() (the line above the code changes) fail, but I'm not familiar enough with how these kinds of PHP classes should be coded to claim your code changes need to be reworked, so I'm leaving the issue state as is.

    DateTimePlus::hasErrors() checks if the date is a valid date but it has no notion of allowed values.

  • Pipeline finished with Failed
    about 2 months ago
    Total: 432s
    #443708
  • Pipeline finished with Success
    about 2 months ago
    Total: 1685s
    #443713
  • Comment about 2 months ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave 
    1) Drupal\KernelTests\Core\Datetime\DatetimeElementFormTest::testRangeValidate
Failed asserting that null matches expected 'The range_datetime_element date is invalid. Date should be in the 1850-3000 year range.'.
/builds/issue/drupal-3269890/core/tests/Drupal/KernelTests/Core/Datetime/DatetimeElementFormTest.php:224
FAILURES!
Tests: 5, Assertions: 11, Failures: 1.

    Shows test coverage so removing the tag for tests, also the coverage being added looks great and in depth.

    Believe all feedback for this one has been addressed.

  • Comment 12 days ago โ†’
    ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom catch

    Looks good but has merge conflicts.

  • First commit to issue fork.
  • Pipeline finished with Canceled
    about 19 hours ago
    #481950
  • Pipeline finished with Success
    about 18 hours ago
    Total: 655s
    #481953
  • Comment about 18 hours ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia shalini_jha

    I have rebased this MR and resolved the merge conflicts. During the rebase, I noticed that some new behavior was introduced, so to ensure everything continues to work as expected, I re-ran the range test locally.

    While debugging, I found that the test was failing in the third scenario where the datetime value falls within the defined range. Due to the newly introduced behavior Here โœจ Datetime fields should utilise #required_error Needs review , the form state now includes additional errors such as datetime_required_error and datetime_no_required_error.

    To address this, I updated the third scenarioโ€™s assertion to only check that range_datetime_element is not present in the form state errors, as this is the specific error we are handling in this case in testRangeValidate() test method. With this change, the test now passes as expected.

    Moving this back to Needs Review.Kindly review.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024