Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Form_helper's set_value() does not form_prep() the $default #1630

Closed
lanzz opened this Issue Jul 17, 2012 · 2 comments

Comments

Projects
None yet
3 participants

lanzz commented Jul 17, 2012

The CI documentation about form_prep() states:

If you use any of the form helper functions listed in this page the form values will be prepped automatically, so there is no need to call this function. Use it only if you are creating your own form elements.

This turns out to be untrue: the $default parameter of set_value() is never prepped, as seen on line 681 in system/helpers/form_helper.php (CI v2.1.2):

679  if ( ! isset($_POST[$field]))
680  {
681    return $default;
682  }
683
684  return form_prep($_POST[$field], $field);

I see no useful cases where one would want to pass raw HTML (as opposed to prepped) as the default value of set_value(), so this seems like a bug to me.

Contributor

sourcejedi commented Oct 4, 2012

I think it does get prepped if you've loaded the form validation helper. (That's no excuse! but it might be useful to know, e.g. if you're trying to reproduce the problem). #1781

narfbg added a commit that referenced this issue Oct 26, 2012

Deprecated form helper function form_prep().
This function has been broken for YEARS and it's value-caching
logic has only introduced various problems. We have html_escape()
since CI 2.1.0 which is a perfect replacement, so it should be
used instead.

Fixes #228 & #1630
Contributor

narfbg commented Oct 26, 2012

Fixed.

@narfbg narfbg closed this Oct 26, 2012

nonchip pushed a commit to nonchip/CodeIgniter that referenced this issue Jun 29, 2013

Deprecated form helper function form_prep().
This function has been broken for YEARS and it's value-caching
logic has only introduced various problems. We have html_escape()
since CI 2.1.0 which is a perfect replacement, so it should be
used instead.

Fixes #228 & #1630
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment