From 814ec749b7450a225d62d6d778289c6715e30a99 Mon Sep 17 00:00:00 2001
From: chipin <fishbear.ccp@gmail.com>
Date: Mon, 25 May 2026 13:34:35 +0800
Subject: [PATCH] fix: stop encoding underscores in HTML attribute values
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Helper::buildHtmlAttributes() serializes widget attributes via
htmlentities($v, ENT_QUOTES | ENT_HTML5, 'UTF-8'). The HTML5 named-entity
table encodes "_" as "&lowbar;" (and " " as "&nbsp;", etc.), so a radio
widget rendered with name="account_category" ends up in the DOM as the
literal string "account&lowbar;category" — breaking [name="..."] selectors
and form submission for any column whose name contains an underscore.

Repro: $form->radio('account_category', '...') — source HTML shows
  name="account&amp;lowbar;category"
parsed DOM attribute value:
  account&lowbar;category   (literal, not "account_category")

Fix: use ENT_QUOTES only — same character set htmlspecialchars uses,
which is the correct rule for serializing HTML attribute values.

Affected widgets: Radio, Checkbox, Switch, and any custom widget that
uses formatHtmlAttributes(). Standard form fields rendered via Blade
{{ }} are unaffected.
---
 src/Support/Helper.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Support/Helper.php b/src/Support/Helper.php
index b7b3da7cf..b249871bc 100755
--- a/src/Support/Helper.php
+++ b/src/Support/Helper.php
@@ -151,7 +151,9 @@ public static function buildHtmlAttributes($attributes)
             $element = '';
 
             if ($value !== null) {
-                $element = $key.'="'.htmlentities($value, ENT_QUOTES | ENT_HTML5, 'UTF-8').'" ';
+                // FIX: ENT_HTML5 named-entity table encodes "_" -> "&lowbar;" etc.,
+                // breaking attribute values like name="foo_bar". Use ENT_QUOTES only.
+                $element = $key.'="'.htmlentities($value, ENT_QUOTES, 'UTF-8').'" ';
             }
 
             $html .= $element;