HTMLMultiSelectField: Reject nested arrays early

Users can pass multidimensional arrays in query parameters to PHP
(e.g. ?foo[a][b]=bar). While filterDataForSubmit() ensured that anyone
using HTMLMultiSelectField in their form did not see them, internal
code here did not handle them correctly when validating the values and
generating the inputs, resulting in warnings deep in other code.

Use is_scalar instead of is_string in case default values somewhere
are integers or other non-string types.

Bug: T274955
Change-Id: I072a722ed025d687bfe755261a9896457f68f2ef

includes/htmlform/fields/HTMLMultiSelectField.php

@@ -50,6 +50,9 @@ class HTMLMultiSelectField extends HTMLFormField implements HTMLNestedFilterable
 			return false;
 		}
 
+		// Reject nested arrays (T274955)
+		$value = array_filter( $value, 'is_scalar' );
+
 		# If all options are valid, array_intersect of the valid options
 		# and the provided options will return the provided options.
 		$validOptions = HTMLFormField::flattenOptions( $this->getOptions() );
@@ -165,6 +168,9 @@ class HTMLMultiSelectField extends HTMLFormField implements HTMLNestedFilterable
 	public function getInputOOUI( $value ) {
 		$this->mParent->getOutput()->addModules( 'oojs-ui-widgets' );
 
+		// Reject nested arrays (T274955)
+		$value = array_filter( $value, 'is_scalar' );
+
 		$hasSections = false;
 		$optionsOouiSections = [];
 		$options = $this->getOptions();