docs: add docs

kenjis · kenjis · commit a6024ba9bbc5 · 2023-05-19T19:35:08.000+09:00
diff --git a/user_guide_src/source/changelogs/v4.3.5.rst b/user_guide_src/source/changelogs/v4.3.5.rst
@@ -12,6 +12,9 @@ Release Date: Unreleased
 SECURITY
 ********
 
+- *Remote Code Execution Vulnerability in Validation Placeholders* was fixed.
+  See the `Security advisory GHSA-m6m8-6gq8-c9fj <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-m6m8-6gq8-c9fj>`_
+  for more information.
 - Fixed that ``Session::stop()`` did not destroy the session.
   See :ref:`Session Library <session-stop>` for details.
 
diff --git a/user_guide_src/source/installation/upgrade_435.rst b/user_guide_src/source/installation/upgrade_435.rst
@@ -18,6 +18,13 @@ Mandatory File Changes
 Breaking Changes
 ****************
 
+Validation Placeholders
+=======================
+
+- To use :ref:`validation-placeholders` securely, when you use validation placeholders
+  and if you don't set the validation rules for the placeholder field, you need
+  to set the validation rules for it.
+
 Session::stop()
 ===============
 
diff --git a/user_guide_src/source/libraries/validation.rst b/user_guide_src/source/libraries/validation.rst
@@ -436,6 +436,8 @@ This method sets a rule group from the validation configuration to the validatio
 
 .. literalinclude:: validation/018.php
 
+.. _validation-placeholders:
+
 Validation Placeholders
 =======================
 
@@ -446,6 +448,9 @@ replaced by the **value** of the matched incoming field. An example should clari
 
 .. literalinclude:: validation/020.php
 
+.. note:: Since v4.3.5, you must set the validation rules for the placeholder
+    field (``id``).
+
 In this set of rules, it states that the email address should be unique in the database, except for the row
 that has an id matching the placeholder's value. Assuming that the form POST data had the following:
 
@@ -457,6 +462,9 @@ then the ``{id}`` placeholder would be replaced with the number **4**, giving th
 
 So it will ignore the row in the database that has ``id=4`` when it verifies the email is unique.
 
+.. note:: Since v4.3.5, if the placeholder (``id``) value does not pass the
+    validation, the placeholder would not be replaced.
+
 This can also be used to create more dynamic rules at runtime, as long as you take care that any dynamic
 keys passed in don't conflict with your form data.
 
diff --git a/user_guide_src/source/libraries/validation/020.php b/user_guide_src/source/libraries/validation/020.php
@@ -1,5 +1,6 @@
 <?php
 
 $validation->setRules([
+    'id'    => 'is_natural_no_zero',
     'email' => 'required|valid_email|is_unique[users.email,id,{id}]',
 ]);
diff --git a/user_guide_src/source/libraries/validation/022.php b/user_guide_src/source/libraries/validation/022.php
@@ -1,5 +1,6 @@
 <?php
 
 $validation->setRules([
+    'id'    => 'is_natural_no_zero',
     'email' => 'required|valid_email|is_unique[users.email,id,4]',
 ]);
