yes, that can be solved quite easily. Normally, CakePHP wants to protect you from types of HTML injection, so in a lot of cases, strings you pass into functions will be escaped using a variant of htmlentities. That way the HTML string will not be rendered on screen as actual HTML.
You can avoid escaping strings by passing
'escape' => false inside the control method’s
options array. See example below:
echo $this->Form->control('logo', ['escape' => false, 'label' => $this->Html->link(__('Name'), ['action' => 'someaction'])]);
Your full code is as such:
echo $this->Form->control('title', ['escape' => false, 'class' => 'input-text-half', 'label' => $this->Html->link(__('Name'), ['prefix' => false, 'controller' => 'somecontroller', 'action' => 'someaction'], ['class' => 'undefined'])]);
You should be very careful escaping strings that other users have control over. Like fields in the database that has user submitted data (for instance through your website’s forms). By using
'escape' => false the value inside the input is also not escaped. This can cause HTML to be rendered by user submitted data.
If this is an
add form, you can look away from this issue. If it is an
edit form, the entity’s current data is loaded into the input.
Avoid this by escaping the value first, then add it.
echo $this->Form->control('logo', ['escape' => false, 'value' => h($entity->logo), 'label' => $this->Html->link(__('Name'), ['action' => 'someaction'])]);
Your users submit through your form this logo value:
/><a href="https://my-injection-site">injection</a><input ".
This is now stored inside the database.
When a user calls for that entity to be edited, it will now load that value above into the form. As the value is now unescaped, this is what your form will looks like:
If you escape the value first, by putting it through the
h($string) function, it will look like this (SAFE):
Please ask if anything is unclear.