From 8bbc2d2ea0bfb6cf12f5f6f3edf82cca6429d046 Mon Sep 17 00:00:00 2001
From: David Rothstein <drothstein@gmail.com>
Date: Mon, 1 Dec 2014 18:33:09 -0500
Subject: Issue #2380053 by klausi, pwolanin, tsphethean, sun, David_Rothstein:
 Posting an array as value of a form element is allowed even when a string is
 expected (and bypasses #maxlength constraints) - first step: text fields

---
 modules/system/system.module | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'modules/system')

diff --git a/modules/system/system.module b/modules/system/system.module
index a27493579..6a6200ea1 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -374,6 +374,9 @@ function system_element_info() {
     '#element_validate' => array('form_validate_machine_name'),
     '#theme' => 'textfield',
     '#theme_wrappers' => array('form_element'),
+    // Use the same value callback as for textfields; this ensures that we only
+    // get string values.
+    '#value_callback' => 'form_type_textfield_value',
   );
   $types['password'] = array(
     '#input' => TRUE,
@@ -382,6 +385,9 @@ function system_element_info() {
     '#process' => array('ajax_process_form'),
     '#theme' => 'password',
     '#theme_wrappers' => array('form_element'),
+    // Use the same value callback as for textfields; this ensures that we only
+    // get string values.
+    '#value_callback' => 'form_type_textfield_value',
   );
   $types['password_confirm'] = array(
     '#input' => TRUE,
-- 
cgit v1.2.3