summaryrefslogtreecommitdiffstats
path: root/user_guide_src/source
diff options
context:
space:
mode:
authorAndrey Andreev <narf@bofh.bg>2012-10-26 23:41:03 +0200
committerAndrey Andreev <narf@bofh.bg>2012-10-26 23:41:03 +0200
commit74ffd17ab06327ca62ddfe28a186cae7ba6bd459 (patch)
tree033c45ff09864b64807a92960f5ca546c4ecefbd /user_guide_src/source
parenta779b2cf8ceaea5ecfd8d26f5e2c379b8fca48d8 (diff)
Deprecated form helper function form_prep().
This function has been broken for YEARS and it's value-caching logic has only introduced various problems. We have html_escape() since CI 2.1.0 which is a perfect replacement, so it should be used instead. Fixes #228 & #1630
Diffstat (limited to 'user_guide_src/source')
-rw-r--r--user_guide_src/source/changelog.rst5
-rw-r--r--user_guide_src/source/helpers/form_helper.rst47
-rw-r--r--user_guide_src/source/installation/upgrade_300.rst43
3 files changed, 55 insertions, 40 deletions
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 0d832425c..54338f3ee 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -75,7 +75,9 @@ Release Date: Not Released
- Refactored ``plural()`` and ``singular()`` to avoid double pluralization and support more words.
- Added an optional third parameter to ``force_download()`` that enables/disables sending the actual file MIME type in the Content-Type header (disabled by default).
- Added a work-around in ``force_download()`` for a bug Android <= 2.1, where the filename extension needs to be in uppercase.
- - ``form_dropdown()`` will now also take an array for unity with other form helpers.
+ - :doc:`Form Helper <helpers/form_helper>` changes include:
+ - ``form_dropdown()`` will now also take an array for unity with other form helpers.
+ - ``form_prep()`` is now **DEPRECATED** and only acts as an alias for :doc:`common function <general/common_functions>` ``html_escape()``.
- ``do_hash()`` now uses PHP's native ``hash()`` function (supporting more algorithms) and is deprecated.
- Removed previously deprecated helper function ``js_insert_smiley()`` from :doc:`Smiley Helper <helpers/smiley_helper>`.
- :doc:`File Helper <helpers/file_helper>` changes include:
@@ -387,6 +389,7 @@ Bug fixes for 3.0
- Fixed a bug (#1506) - :doc:`Form Helpers <helpers/form_helper>` set empty *name* attributes.
- Fixed a bug (#59) - :doc:`Query Builder <database/query_builder>` method ``count_all_results()`` ignored the DISTINCT clause.
- Fixed a bug (#1624) - :doc:`Form Validation Library <libraries/form_validation>` rule **matches** didn't property handle array field names.
+- Fixed a bug (#1630) - :doc:`Form Helper <helpers/form_helper>` function ``set_value()`` didn't escape HTML entities.
Version 2.1.3
=============
diff --git a/user_guide_src/source/helpers/form_helper.rst b/user_guide_src/source/helpers/form_helper.rst
index fa7b3dbf9..015bf1162 100644
--- a/user_guide_src/source/helpers/form_helper.rst
+++ b/user_guide_src/source/helpers/form_helper.rst
@@ -463,29 +463,6 @@ the tag. For example
echo form_close($string);
// Would produce: </form> </div></div>
-form_prep()
-===========
-
-Allows you to safely use HTML and characters such as quotes within form
-elements without breaking out of the form. Consider this example
-
-::
-
- $string = 'Here is a string containing "quoted" text.';
- <input type="text" name="myform" value="$string" />
-
-Since the above string contains a set of quotes it will cause the form
-to break. The `form_prep()` function converts HTML so that it can be used
-safely
-
-::
-
- <input type="text" name="myform" value="<?php echo form_prep($string); ?>" />
-
-.. note:: If you use any of the form helper functions listed in this page the form
- values will be prepped automatically, so there is no need to call this
- function. Use it only if you are creating your own form elements.
-
set_value()
===========
@@ -546,4 +523,26 @@ This function is identical to the **set_checkbox()** function above.
.. note:: If you are using the Form Validation class, you must always specify a rule for your field,
even if empty, in order for the set_*() functions to work. This is because if a Form Validation object
is defined, the control for set_*() is handed over to a method of the class instead of the generic helper
- function. \ No newline at end of file
+ function.
+
+Escaping field values
+=====================
+
+You may need to use HTML and characters such as quotes within form
+elements. In order to do that safely, you'll need to use
+:doc:`common function <../general/common_functions>` ``html_escape()``.
+
+Consider the following example::
+
+ $string = 'Here is a string containing "quoted" text.';
+ <input type="text" name="myform" value="$string" />
+
+Since the above string contains a set of quotes it will cause the form
+to break. The ``html_escape()`` function converts HTML so that it can be
+used safely::
+
+ <input type="text" name="myform" value="<?php echo html_escape($string); ?>" />
+
+.. note:: If you use any of the form helper functions listed in this page, the form
+ values will be prepped automatically, so there is no need to call this
+ function. Use it only if you are creating your own form elements. \ No newline at end of file
diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst
index 31a5c0761..952108356 100644
--- a/user_guide_src/source/installation/upgrade_300.rst
+++ b/user_guide_src/source/installation/upgrade_300.rst
@@ -71,8 +71,24 @@ Step 7: Check the calls to Array Helper's element() and elements() functions
The default return value of these functions, when the required elements
don't exist, has been changed from FALSE to NULL.
+**********************************************************
+Step 8: Change usage of Email library with multiple emails
+**********************************************************
+
+The :doc:`Email library <../libraries/email>` will automatically clear the
+set parameters after successfully sending emails. To override this behaviour,
+pass FALSE as the first parameter in the ``send()`` method:
+
+::
+
+ if ($this->email->send(FALSE))
+ {
+ // Parameters won't be cleared
+ }
+
+
***************************************************************
-Step 8: Remove usage of (previously) deprecated functionalities
+Step 9: Remove usage of (previously) deprecated functionalities
***************************************************************
In addition to the ``$autoload['core']`` configuration setting, there's a number of other functionalities
@@ -118,6 +134,16 @@ CodeIgniter 3.1+.
.. note:: This function is still available, but you're strongly encouraged to remove it's usage sooner
rather than later.
+Form helper form_prep()
+=======================
+
+:doc:`Form Helper <../helpers/form_helper>` function ``form_prep()`` is now just an alias for
+:doc:`common function <../general/common_functions>` ``html_escape()`` and it's second argument
+is ignored. It is deprecated and scheduled for removal in CodeIgniter 3.1+.
+
+.. note:: This function is still available, but you're strongly encouraged to remove it's usage sooner
+ rather than later.
+
Date helper standard_date()
===========================
@@ -154,17 +180,4 @@ As a result of that, the 'anchor_class' setting is now deprecated and scheduled
CodeIgniter 3.1+.
.. note:: This setting is still available, but you're strongly encouraged to remove its' usage sooner
- rather than later.
-
-Email library
-=============
-
-The :doc:`Email library <../libraries/email>` will automatically clear the set parameters after successfully sending
-emails. To override this behaviour, pass FALSE as the first parameter in the ``send()`` function:
-
-::
-
- if ($this->email->send(FALSE))
- {
- // Parameters won't be cleared
- }
+ rather than later. \ No newline at end of file