Render ‐ Form Elements - xoopscube/legacy GitHub Wiki

XoopsForm and Form Input Handling in XoopsCube Legacy

XoopsCube Legacy ensures backwards compatibility with XoopsForm.
This is indeed an older pattern for handling form inputs securely,
developed before modern PHP frameworks standardized these approaches.

Core Components of XoopsForm

The XoopsForm system consists of several key components:

  1. Base Form Class: XoopsForm (in form.php) serves as the container for all form elements and handles the overall form rendering.

  2. Form Element Classes: Various element types like XoopsFormHidden, XoopsFormText, XoopsFormSelect, etc. that handle specific input types.

  3. Token System: Security tokens to prevent CSRF attacks.

  4. Smarty Integration: Custom Smarty plugins that render form elements in templates.

How It Works

1. Form Creation and Element Addition

// Create a form
$form = new XoopsForm('Title', 'form_name', 'action.php', 'post', true);

// Add elements to the form
$form->addElement(new XoopsFormText('Username', 'username', 30, 50, $default_value));
$form->addElement(new XoopsFormSelect('Options', 'options', $selected_value, $size, $multiple));

2. Security Token Integration

The XoopsFormHiddenToken class automatically generates a security token:

// From formhiddentoken.php
public function __construct($name = null, $timeout = 360)
{
    if (empty($name)) {
        $token =& XoopsMultiTokenHandler::quickCreate(XOOPS_TOKEN_DEFAULT);
        $name = $token->getTokenName();
    } else {
        $token =& XoopsSingleTokenHandler::quickCreate(XOOPS_TOKEN_DEFAULT);
    }
    $this->XoopsFormHidden($name, $token->getTokenValue());
}

This token is then validated when the form is submitted to prevent CSRF attacks.

3. Form Rendering

Forms are rendered either directly through PHP or via Smarty templates:

// Direct PHP rendering
echo $form->render();

// Or in Smarty templates
$xoopsTpl->assign('form', $form);

4. Multi-Select Handling

For multi-select elements, the render system:

  1. Creates a select element with the multiple attribute
  2. Appends [] to the name attribute to indicate it's an array
  3. When submitted, PHP automatically collects values as an array
  4. The form processing code then handles this array (converting to pipe-separated string, serializing, etc.)
// Example
$plugin_select = new XoopsFormSelect('', 'module_options_enabled[]', $configs['module_options_enabled'], 5, true);

5. Value Processing

When the form is submitted, values are processed:

// From previous example
case 'module_options_enabled':
    // Handle multi-select values properly
    if (isset($_POST[$name]) && is_array($_POST[$name])) {
        // Store as a pipe-separated string (XoopsCube's standard format for arrays)
        $value = implode('|', $_POST[$name]);
    } else {
        $value = '';
    }
    break;

Security Features

  1. CSRF Protection: The token system prevents cross-site request forgery.

  2. Type Safety: Form elements enforce data types (like integers for numeric fields).

  3. Input Sanitization: The system includes methods to sanitize inputs before processing.

  4. XSS Prevention: Output is escaped when rendered in templates.

This approach was quite advanced for its time, providing a structured way to handle form inputs securely
before modern frameworks made these patterns standard. The system separates form definition, rendering,
and processing, which is a good practice that's still used in modern frameworks today.