Fix issue #1953 (form values being escaped twice)

Re-instaing an improved form_prep() function, reverting most of the changes from 74ffd17ab06327ca62ddfe28a186cae7ba6bd459.
author: Andrey Andreev <narf@bofh.bg> 2012-11-01 14:14:34 +0100
committer: Andrey Andreev <narf@bofh.bg> 2012-11-01 14:14:34 +0100
commit: 7c4d10660a0a47446474bf97e3cb65f80693f1ee (patch)
tree: 9ba3d1c2f96d4bc23f128791e997c5da275b6942 /system
parent: ce1b02a0fa8e07f769c41634e19c15482244e687 (diff)
2 files changed, 51 insertions, 42 deletions
diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php
index 622622c0e..9c4c4dae6 100644
--- a/system/helpers/form_helper.php
+++ b/system/helpers/form_helper.php
@@ -124,9 +124,9 @@ if ( ! function_exists('form_hidden'))
 	 * Generates hidden fields. You can pass a simple key/value string or
 	 * an associative array with multiple values.
 	 *
-	 * @param	mixed
-	 * @param	string
-	 * @param	bool
+	 * @param	mixed	$name		Field name
+	 * @param	string	$value		Field value
+	 * @param	bool	$recursing
 	 * @return	string
 	 */
 	function form_hidden($name, $value = '', $recursing = FALSE)
@@ -149,7 +149,7 @@ if ( ! function_exists('form_hidden'))
 
 		if ( ! is_array($value))
 		{
-			$form .= '<input type="hidden" name="'.$name.'" value="'.html_escape($value)."\" />\n";
+			$form .= '<input type="hidden" name="'.$name.'" value="'.form_prep($value)."\" />\n";
 		}
 		else
 		{
@@ -243,9 +243,9 @@ if ( ! function_exists('form_textarea'))
 	/**
 	 * Textarea field
 	 *
-	 * @param	mixed
-	 * @param	string
-	 * @param	string
+	 * @param	mixed	$data
+	 * @param	string	$value
+	 * @param	string	$extra
 	 * @return	string
 	 */
 	function form_textarea($data = '', $value = '', $extra = '')
@@ -263,7 +263,7 @@ if ( ! function_exists('form_textarea'))
 		}
 
 		$name = is_array($data) ? $data['name'] : $data;
-		return '<textarea '._parse_form_attributes($data, $defaults).$extra.'>'.html_escape($val)."</textarea>\n";
+		return '<textarea '._parse_form_attributes($data, $defaults).$extra.'>'.form_prep($val, TRUE)."</textarea>\n";
 	}
 }
 
@@ -298,10 +298,10 @@ if ( ! function_exists('form_dropdown'))
 	/**
 	 * Drop-down Menu
 	 *
-	 * @param	mixed	$name = ''
-	 * @param	mixed	$options = array()
-	 * @param	mixed	$selected = array()
-	 * @param	mixed	$extra = array()
+	 * @param	mixed	$name
+	 * @param	mixed	$options
+	 * @param	mixed	$selected
+	 * @param	mixed	$extra
 	 * @return	string
 	 */
 	function form_dropdown($name = '', $options = array(), $selected = array(), $extra = '')
@@ -349,7 +349,7 @@ if ( ! function_exists('form_dropdown'))
 				foreach ($val as $optgroup_key => $optgroup_val)
 				{
 					$sel = in_array($optgroup_key, $selected) ? ' selected="selected"' : '';
-					$form .= '<option value="'.html_escape($optgroup_key).'"'.$sel.'>'
+					$form .= '<option value="'.form_prep($optgroup_key).'"'.$sel.'>'
 						.(string) $optgroup_val."</option>\n";
 				}
 
@@ -357,7 +357,7 @@ if ( ! function_exists('form_dropdown'))
 			}
 			else
 			{
-				$form .= '<option value="'.html_escape($key).'"'
+				$form .= '<option value="'.form_prep($key).'"'
 					.(in_array($key, $selected) ? ' selected="selected"' : '').'>'
 					.(string) $val."</option>\n";
 			}
@@ -600,17 +600,28 @@ if ( ! function_exists('form_prep'))
 	 *
 	 * Formats text so that it can be safely placed in a form field in the event it has HTML tags.
 	 *
-	 * @todo	Remove in version 3.1+.
-	 * @deprecated	3.0.0	This function has been broken for a long time
-	 *			and is now just an alias for html_escape(). It's
-	 *			second argument is ignored.
-	 * @param	string	$str = ''
-	 * @param	string	$field_name = ''
-	 * @return	string
+	 * @param	string|string[]	$str		Value to escape
+	 * @param	bool		$is_textarea	Whether we're escaping for a textarea element
+	 * @return	string|string[]	Escaped values
 	 */
-	function form_prep($str = '', $field_name = '')
+	function form_prep($str = '', $is_textarea = FALSE)
 	{
-		return html_escape($str);
+		if (is_array($str))
+		{
+			foreach (array_keys($str) as $key)
+			{
+				$str[$key] = form_prep($str[$key], $is_textarea);
+			}
+
+			return $str;
+		}
+
+		if ($is_textarea === TRUE)
+		{
+			return str_replace(array('<', '>'), array('&lt;', '&gt;'), stripslashes($str));
+		}
+
+		return str_replace(array("'", '"'), array('&#39;', '&quot;'), stripslashes($data));
 	}
 }
 
@@ -625,23 +636,21 @@ if ( ! function_exists('set_value'))
 	 * re-populate an input field or textarea. If Form Validation
 	 * is active it retrieves the info from the validation class
 	 *
-	 * @param	string
-	 * @param	string
-	 * @return	mixed
+	 * @param	string	$field		Field name
+	 * @param	string	$default	Default value
+	 * @param	bool	$is_textarea	Whether the field is a textarea element
+	 * @return	string
 	 */
-	function set_value($field = '', $default = '')
+	function set_value($field = '', $default = '', $is_textarea = FALSE)
 	{
 		if (FALSE === ($OBJ =& _get_validation_object()))
 		{
-			if ( ! isset($_POST[$field]))
-			{
-				return html_escape($default);
-			}
-
-			return html_escape($_POST[$field]);
+			return isset($_POST[$field])
+				? form_prep($_POST[$field], $is_textarea)
+				: form_prep($default, $is_textarea);
 		}
 
-		return html_escape($OBJ->set_value($field, $default));
+		return form_prep($OBJ->set_value($field, $default), $is_textarea);
 	}
 }
 
@@ -862,8 +871,8 @@ if ( ! function_exists('_parse_form_attributes'))
 	 *
 	 * Helper function used by some of the form helpers
 	 *
-	 * @param	array
-	 * @param	array
+	 * @param	array	$attributes	List of attributes
+	 * @param	array	$default	Default values
 	 * @return	string
 	 */
 	function _parse_form_attributes($attributes, $default)
@@ -891,7 +900,7 @@ if ( ! function_exists('_parse_form_attributes'))
 		{
 			if ($key === 'value')
 			{
-				$val = html_escape($val);
+				$val = form_prep($val);
 			}
 			elseif ($key === 'name' && ! strlen($default['name']))
 			{
diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php
index c1bf51935..74dac7d29 100644
--- a/system/libraries/Form_validation.php
+++ b/system/libraries/Form_validation.php
@@ -1323,6 +1323,11 @@ class CI_Form_validation {
 	 */
 	public function prep_for_form($data = '')
 	{
+		if ($this->_safe_form_data === FALSE OR empty($data))
+		{
+			return $data;
+		}
+
 		if (is_array($data))
 		{
 			foreach ($data as $key => $val)
@@ -1333,11 +1338,6 @@ class CI_Form_validation {
 			return $data;
 		}
 
-		if ($this->_safe_form_data === FALSE OR $data === '')
-		{
-			return $data;
-		}
-
 		return str_replace(array("'", '"', '<', '>'), array('&#39;', '&quot;', '&lt;', '&gt;'), stripslashes($data));
 	}
author	Andrey Andreev <narf@bofh.bg>	2012-11-01 14:14:34 +0100
committer	Andrey Andreev <narf@bofh.bg>	2012-11-01 14:14:34 +0100
commit	7c4d10660a0a47446474bf97e3cb65f80693f1ee (patch)
tree	9ba3d1c2f96d4bc23f128791e997c5da275b6942 /system
parent	ce1b02a0fa8e07f769c41634e19c15482244e687 (diff)