Disallow hexadecimal input with inList.

Instead of turning on/off strict mode based on the user supplied input,
cast everything to strings and always use a strict check. This avoids
the potential issue of a bad user using hexadecimal when they should not
be allowed to do so. Thanks to 'Kurita Takashi' for pointing this out.

lib/Cake/Test/Case/Utility/ValidationTest.php

@@ -1979,6 +1979,10 @@ class ValidationTest extends CakeTestCase {
 		$this->assertFalse(Validation::inList(2, array('1', '2x', '3')));
 		$this->assertFalse(Validation::inList('One', array('one', 'two')));
 
+		// No hexadecimal for numbers.
+		$this->assertFalse(Validation::inList('0x7B', array('ABC', '123')));
+		$this->assertFalse(Validation::inList('0x7B', array('ABC', 123)));
+
 		// case insensitive
 		$this->assertTrue(Validation::inList('one', array('One', 'Two'), true));
 		$this->assertTrue(Validation::inList('Two', array('one', 'two'), true));

lib/Cake/Utility/Validation.php

@@ -800,14 +800,13 @@ class Validation {
  * @return bool Success.
  */
 	public static function inList($check, $list, $caseInsensitive = false) {
-		$strict = !is_numeric($check);
-
 		if ($caseInsensitive) {
 			$list = array_map('mb_strtolower', $list);
 			$check = mb_strtolower($check);
+		} else {
+			$list = array_map('strval', $list);
 		}
-
-		return in_array((string)$check, $list, $strict);
+		return in_array((string)$check, $list, true);
 	}
 
 /**