add html_escape() function to escape HTML.

3 files changed, 27 insertions, 0 deletions

diff --git a/system/core/Common.php b/system/core/Common.php
index 3c62403ac..d79375475 100644
--- a/system/core/Common.php
+++ b/system/core/Common.php
@@ -536,5 +536,29 @@ if ( ! function_exists('remove_invisible_characters'))
 	}
 }
 
+// ------------------------------------------------------------------------
+
+/**
+* Returns HTML escaped variable
+*
+* @access	public
+* @param	mixed
+* @return	mixed
+*/
+if ( ! function_exists('html_escape'))
+{
+	function html_escape($var)
+	{
+		if (is_array($var))
+		{
+			return array_map('html_escape', $var);
+		}
+		else
+		{
+			return htmlspecialchars($var, ENT_QUOTES, config_item('charset'));
+		}
+	}
+}
+
 /* End of file Common.php */
 /* Location: ./system/core/Common.php */
\ No newline at end of file
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 91312e46b..c22bebda6 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -67,6 +67,7 @@ Change Log
 		<ul>
 			<li class="reactor">Callback validation rules can now accept parameters like any other validation rule.</li>
 			<li class="reactor">Ability to log certain error types, not all under a threshold.</li>
+			<li class="reactor">Added html_escape() to the <a href="general/common_functions.html">Common functions<a> to escape HTML output for preventing XSS easliy.</li>
 		</ul>
 	</li>
 	<li>Helpers
diff --git a/user_guide/general/common_functions.html b/user_guide/general/common_functions.html
index 65457759d..7cff6321c 100644
--- a/user_guide/general/common_functions.html
+++ b/user_guide/general/common_functions.html
@@ -104,6 +104,8 @@ else<br />
 <p>This function prevents inserting null characters between ascii characters, like Java\0script.</p>
 
 
+<h2>html_escape(<var>$mixed</var>)</h2>
+<p>This function provides short cut for htmlspecialchars() function. It accepts string and array. To prevent Cross Site Scripting (XSS), it is very useful.</p>
 
 </div>