Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Encoding of form fields #1953

Closed
it-can opened this Issue · 19 comments

3 participants

@it-can

Hi,

since I updated to the latest develop it seems that when I post/save to the database & it seems to get encoded to &
In the database it is saved correctly...

I think it is related to this: 3ccc386#diff-25

@narfbg
Owner

It is indeed related - form_prep() was broken and didn't always encode these characters.

@it-can

Okay but this is not correct still? Because will input boxes show encoded characters now:

input: TEST&

$abc = 'TEST&';
echo form_input(array('name'=>'abc'), set_value('abc', $abc));

output: TEST&
expected: TEST&

@narfbg
Owner

Actually, the code that you've shown would output TEST&&, which is indeed a problem.

But even before that commit, form_prep() should have encoded it the same way when you first execute it for that field (whether that's proper behavior is another question). Wasn't that the case?

@it-can

nope, before it worked...

@it-can

Mmm this seems to be working:

$abc = 'TEST&';
<input type="text" value="<?php echo set_value('abc', $abc); ?>" />

Could it be a problem with the form_input() / _parse_form_attributes() functions? Can this be the problem? https://github.com/EllisLab/CodeIgniter/blob/develop/system/helpers/form_helper.php#L894

@narfbg
Owner

Just to be more clear, the actual commit that caused this is 74ffd17.
The problem is actually double escaping, which is the result of an effort to fix #1630.

form_prep() DID convert the ampersand to &amp;, the issue is that now that set_value() escapes values by itself, when _parse_form_attributes() is applied later, it tries to escape them again and &amp; becomes &amp;amp; (correction of what I said above).

I'll think about a fix for it.

@narfbg narfbg referenced this issue from a commit
@narfbg narfbg Fix issue #1953 (form values being escaped twice)
Re-instaing an improved form_prep() function, reverting most of the changes from 74ffd17.
7c4d106
@narfbg
Owner

How about now?

@it-can

Seems to be working now... Thanks!

@it-can it-can closed this
@nonchip nonchip referenced this issue from a commit in nonchip/CodeIgniter
@narfbg narfbg Fix issue #1953 (form values being escaped twice)
Re-instaing an improved form_prep() function, reverting most of the changes from 74ffd17.
3d66b29
@narfbg narfbg referenced this issue from a commit
@narfbg narfbg Revert 7c4d106
Deprecates form_prep() in favor of html_escape() (again).

Related: issue #1953, which was the reason for the reverted commit,
but was wrongly interpreted and that shouldn't have happened.

Close #2477
2c24561
@narfbg
Owner

Well ... yet another revert on this.

It is set_value() that shouldn't be used together with other form helpers and that has caused the issue that you described here. Added a note about it the docs this time.

@it-can

@narfbg Ok... but what can I use instead of set_value()? I am using it like this: https://ellislab.com/codeigniter/user-guide/libraries/form_validation.html#repopulatingform

@narfbg
Owner

If you're using it like shown in that example it's completely fine - it doesn't pass set_value() to i.e. form_input(), so no double encoding.

@it-can

@narfbg I am using it like this: echo form_input(array('name'=>'abc'), set_value('abc', $abc));

@narfbg
Owner

Well ... don't.

isset($var) ? $var : $default should do it.

@it-can

I use set_value() the form_validation class.

@narfbg
Owner

set_value() != $this->form_validation->set_value()

@it-can

Okay then I just have to pass the value given back by the form_validation class?

@narfbg
Owner

I guess so.

@ivantcholakov

What about an additional form helper function that returns raw, unescaped values? Then in some cases we will be able to decide how to apply escaping manually. Here is a code drafting:


if ( ! function_exists('form_value'))
{
    /**
     * Form Value (Raw)
     *
     * Grabs a value from the POST array for the specified field so you can
     * re-populate fields in some special or cutting-edge cases. If Form Validation
     * is active it retrieves the info from the validation class.
     *
     * Important: The result is not HTML-escaped or HTML-attribute-escaped,
     * you should do it additionalyy according to the context of usage.
     *
     * @param   string  $field      Field name
     * @param   string  $default    Default value
     * @return  string
     */
    function form_value($field, $default = '')
    {
        $CI =& get_instance();

        $value = (isset($CI->form_validation) && is_object($CI->form_validation) && $CI->form_validation->has_rule($field))
            ? $CI->form_validation->set_value($field, $default)
            : $CI->input->post($field, FALSE);

        return $value === NULL ? $default : $value;
    }
}
@it-can

I implemented something similiar in my projects...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.