[development] Drupal 7 API Change notification: Four small-ishchanges

[Daniel F. Kudwien]

> (issue <http://drupal.org/node/140783> ) Select elements in forms
> now require a default value by default. In the past, #required on
> a select element was kind of silly. Now it's on by default. So if
> you have a select element which is not supposed to allow submission
> without having a selection chosen, you have to set #required =
> FALSE. Look carefully at this one if you have a select element in
> a form that you do not want to be #required.

Sorry, this is not correct.  Likely my fault, should've explained the API
change more precisely.

Select lists mostly behave as usual.  However, if a select list does not
have a #default_value or the #default_value is NULL, then the select list
automatically gets an empty default option that asks the user to select an
option.

This is a security hardening improvement, because browsers automatically
select the first available option in a select list, if no option has the
"selected" attribute.  This means that users were able to simply submit a
form without ever having looked at the select list, and the form validated
successfully.

For your code, this means that you should set no #default_value (or NULL),
in case you do not have a stored value for the select list, so the user is
forced to choose a value.

The empty default option only appears when there is no #default_value.
Usually, you do not want to mark a select list explicitly as #required =
TRUE (but of course you can do that).

The empty default option can be tweaked with #empty_value (its value) and
#empty_option (its label).  See
http://api.drupal.org/api/function/form_process_select/7 for details.

Basically the same behavior has been implemented for select lists that are
#required = FALSE.  However, in that case, the empty option is always
contained, so the user can choose "no value", whereas that actual value can
be set via #empty_value (which defaults to an empty string).

sun