summaryrefslogtreecommitdiffstats
path: root/system/helpers/form_helper.php
diff options
context:
space:
mode:
authorJonatas Miguel <jonatas.df.miguel@gmail.com>2012-10-31 15:44:02 +0100
committerJonatas Miguel <jonatas.df.miguel@gmail.com>2012-10-31 15:44:02 +0100
commit3ccc386be4e0e1e4b3d47f1785e11d4b8613ef72 (patch)
treef1c8cd29775537b8da76143edeec5b6c8d659550 /system/helpers/form_helper.php
parenta9a1d2520493211ca35f7ab56866d0e154afc1c3 (diff)
parentf2b19fee7876708c7a7bb5cba6b7df682a9d2a53 (diff)
Merge branch 'develop' of git://github.com/EllisLab/CodeIgniter into develop
Diffstat (limited to 'system/helpers/form_helper.php')
-rw-r--r--system/helpers/form_helper.php76
1 files changed, 26 insertions, 50 deletions
diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php
index 1bccac35c..622622c0e 100644
--- a/system/helpers/form_helper.php
+++ b/system/helpers/form_helper.php
@@ -149,7 +149,7 @@ if ( ! function_exists('form_hidden'))
if ( ! is_array($value))
{
- $form .= '<input type="hidden" name="'.$name.'" value="'.form_prep($value, $name)."\" />\n";
+ $form .= '<input type="hidden" name="'.$name.'" value="'.html_escape($value)."\" />\n";
}
else
{
@@ -263,7 +263,7 @@ if ( ! function_exists('form_textarea'))
}
$name = is_array($data) ? $data['name'] : $data;
- return '<textarea '._parse_form_attributes($data, $defaults).$extra.'>'.form_prep($val, $name)."</textarea>\n";
+ return '<textarea '._parse_form_attributes($data, $defaults).$extra.'>'.html_escape($val)."</textarea>\n";
}
}
@@ -298,10 +298,10 @@ if ( ! function_exists('form_dropdown'))
/**
* Drop-down Menu
*
- * @param string
- * @param array
- * @param string
- * @param string
+ * @param mixed $name = ''
+ * @param mixed $options = array()
+ * @param mixed $selected = array()
+ * @param mixed $extra = array()
* @return string
*/
function form_dropdown($name = '', $options = array(), $selected = array(), $extra = '')
@@ -316,10 +316,7 @@ if ( ! function_exists('form_dropdown'))
return form_dropdown($name['name'], $name['options'], $name['selected'], $name['extra']);
}
- if ( ! is_array($selected))
- {
- $selected = array($selected);
- }
+ is_array($selected) OR $selected = array($selected);
// If no selected state was submitted we will attempt to set it automatically
if (count($selected) === 0 && isset($_POST[$name]))
@@ -352,14 +349,17 @@ if ( ! function_exists('form_dropdown'))
foreach ($val as $optgroup_key => $optgroup_val)
{
$sel = in_array($optgroup_key, $selected) ? ' selected="selected"' : '';
- $form .= '<option value="'.$optgroup_key.'"'.$sel.'>'.(string) $optgroup_val."</option>\n";
+ $form .= '<option value="'.html_escape($optgroup_key).'"'.$sel.'>'
+ .(string) $optgroup_val."</option>\n";
}
$form .= "</optgroup>\n";
}
else
{
- $form .= '<option value="'.$key.'"'.(in_array($key, $selected) ? ' selected="selected"' : '').'>'.(string) $val."</option>\n";
+ $form .= '<option value="'.html_escape($key).'"'
+ .(in_array($key, $selected) ? ' selected="selected"' : '').'>'
+ .(string) $val."</option>\n";
}
}
@@ -600,44 +600,16 @@ if ( ! function_exists('form_prep'))
*
* Formats text so that it can be safely placed in a form field in the event it has HTML tags.
*
- * @param string
- * @param string
+ * @todo Remove in version 3.1+.
+ * @deprecated 3.0.0 This function has been broken for a long time
+ * and is now just an alias for html_escape(). It's
+ * second argument is ignored.
+ * @param string $str = ''
+ * @param string $field_name = ''
* @return string
*/
function form_prep($str = '', $field_name = '')
{
- static $prepped_fields = array();
-
- // if the field name is an array we do this recursively
- if (is_array($str))
- {
- foreach ($str as $key => $val)
- {
- $str[$key] = form_prep($val);
- }
-
- return $str;
- }
-
- if ($str === '')
- {
- return '';
- }
-
- // we've already prepped a field with this name
- // @todo need to figure out a way to namespace this so
- // that we know the *exact* field and not just one with
- // the same name
- if (isset($prepped_fields[$field_name]))
- {
- return $str;
- }
-
- if ($field_name !== '')
- {
- $prepped_fields[$field_name] = $field_name;
- }
-
return html_escape($str);
}
}
@@ -663,13 +635,13 @@ if ( ! function_exists('set_value'))
{
if ( ! isset($_POST[$field]))
{
- return $default;
+ return html_escape($default);
}
- return form_prep($_POST[$field], $field);
+ return html_escape($_POST[$field]);
}
- return form_prep($OBJ->set_value($field, $default), $field);
+ return html_escape($OBJ->set_value($field, $default));
}
}
@@ -919,7 +891,11 @@ if ( ! function_exists('_parse_form_attributes'))
{
if ($key === 'value')
{
- $val = form_prep($val, $default['name']);
+ $val = html_escape($val);
+ }
+ elseif ($key === 'name' && ! strlen($default['name']))
+ {
+ continue;
}
$att .= $key.'="'.$val.'" ';