Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Form_helper's set_value() does not form_prep() the $default #1630

Closed
lanzz opened this Issue · 2 comments

3 participants

@lanzz

The CI documentation about form_prep() states:

If you use any of the form helper functions listed in this page the form values will be prepped automatically, so there is no need to call this function. Use it only if you are creating your own form elements.

This turns out to be untrue: the $default parameter of set_value() is never prepped, as seen on line 681 in system/helpers/form_helper.php (CI v2.1.2):

679  if ( ! isset($_POST[$field]))
680  {
681    return $default;
682  }
683
684  return form_prep($_POST[$field], $field);

I see no useful cases where one would want to pass raw HTML (as opposed to prepped) as the default value of set_value(), so this seems like a bug to me.

@sourcejedi

I think it does get prepped if you've loaded the form validation helper. (That's no excuse! but it might be useful to know, e.g. if you're trying to reproduce the problem). #1781

@narfbg narfbg referenced this issue from a commit
@narfbg narfbg Deprecated form helper function form_prep().
This function has been broken for YEARS and it's value-caching
logic has only introduced various problems. We have html_escape()
since CI 2.1.0 which is a perfect replacement, so it should be
used instead.

Fixes #228 & #1630
74ffd17
@narfbg
Owner

Fixed.

@narfbg narfbg closed this
@nonchip nonchip referenced this issue from a commit in nonchip/CodeIgniter
@narfbg narfbg Deprecated form helper function form_prep().
This function has been broken for YEARS and it's value-caching
logic has only introduced various problems. We have html_escape()
since CI 2.1.0 which is a perfect replacement, so it should be
used instead.

Fixes #228 & #1630
8ed4f77
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.