Security update for Core, with self-updated composer

[yaffs-website] / web / core / lib / Drupal / Core / Render / Element / Radio.php

diff --git a/web/core/lib/Drupal/Core/Render/Element/Radio.php b/web/core/lib/Drupal/Core/Render/Element/Radio.php
index 8687a9dcfc980cf85a367b752db3566f7f30cc67..e178463eead20735aca97607d07d36a5cbc6ec74 100644 (file)
--- a/web/core/lib/Drupal/Core/Render/Element/Radio.php
+++ b/web/core/lib/Drupal/Core/Render/Element/Radio.php
@@ -54,7 +54,18 @@ class Radio extends FormElement {
     $element['#attributes']['type'] = 'radio';
     Element::setAttributes($element, ['id', 'name', '#return_value' => 'value']);
 
-    if (isset($element['#return_value']) && $element['#value'] !== FALSE && $element['#value'] == $element['#return_value']) {
+    // To avoid auto-casting during '==' we convert $element['#value'] and
+    // $element['#return_value'] to strings. It will prevent wrong true-checking
+    // for both cases: 0 == 'string' and 'string' == 0, this will occur because
+    // all numeric array values will be integers and all submitted values will
+    // be strings. Array values are never valid for radios and are skipped. To
+    // account for FALSE and empty string values in the #return_value, we will
+    // consider any #value that evaluates to empty to be the same as any
+    // #return_value that evaluates to empty.
+    if (isset($element['#return_value']) &&
+      $element['#value'] !== FALSE &&
+      !is_array($element['#value']) &&
+      ((empty($element['#value']) && empty($element['#return_value'])) || (string) $element['#value'] === (string) $element['#return_value'])) {
       $element['#attributes']['checked'] = 'checked';
     }
     static::setAttributes($element, ['form-radio']);