CCompareValidator.compareAttribute not safe by default

I’ve noticed that when using CCompareValidator, model attribute specified in compareAttribute param is not automatically added to safe list and it is not used in massive assignment.

So, when for example password change form has this simple validation rules:

return array


    	array('password_current', 'authenticate'), //Current password needs to be authenticated.

    	array('password_new_one', 'compare', 'compareAttribute'=>'password_new_two', 'skipOnError'=>true),


Such form will not work, because password_new_two will be empty. To avoid this, one must add:

array('password_new_two', 'safe')

Just to feed my curiosity - is this OK? Should it be done this way? For me personally this is a little bit nonsense. I thought that CCompareValidator will add both compared values to safe list and for massive assignment.

The "compare" validator is assigned to the "password_new_one"… compareAttribute and other values like skipOnError are just attributes to the validator… think of them like parameters to a function or method…

So yes, it is OK :D

OK. So, thanks for the explanation.