diff options
author | Andrey Andreev <narf@bofh.bg> | 2012-11-01 14:14:34 +0100 |
---|---|---|
committer | Andrey Andreev <narf@bofh.bg> | 2012-11-01 14:14:34 +0100 |
commit | 7c4d10660a0a47446474bf97e3cb65f80693f1ee (patch) | |
tree | 9ba3d1c2f96d4bc23f128791e997c5da275b6942 /user_guide_src | |
parent | ce1b02a0fa8e07f769c41634e19c15482244e687 (diff) |
Fix issue #1953 (form values being escaped twice)
Re-instaing an improved form_prep() function, reverting most of the changes from 74ffd17ab06327ca62ddfe28a186cae7ba6bd459.
Diffstat (limited to 'user_guide_src')
-rw-r--r-- | user_guide_src/source/changelog.rst | 2 | ||||
-rw-r--r-- | user_guide_src/source/helpers/form_helper.rst | 44 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrade_300.rst | 10 |
3 files changed, 22 insertions, 34 deletions
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 4aef2a174..511ee00f6 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -77,7 +77,7 @@ Release Date: Not Released - Added a work-around in ``force_download()`` for a bug Android <= 2.1, where the filename extension needs to be in uppercase. - :doc:`Form Helper <helpers/form_helper>` changes include: - ``form_dropdown()`` will now also take an array for unity with other form helpers. - - ``form_prep()`` is now **DEPRECATED** and only acts as an alias for :doc:`common function <general/common_functions>` ``html_escape()``. + - ``form_prep()``'s second argument now only accepts a boolean value, which determines whether the value is escaped for a *textarea* or a regular *input* element. - ``do_hash()`` now uses PHP's native ``hash()`` function (supporting more algorithms) and is deprecated. - Removed previously deprecated helper function ``js_insert_smiley()`` from :doc:`Smiley Helper <helpers/smiley_helper>`. - :doc:`File Helper <helpers/file_helper>` changes include: diff --git a/user_guide_src/source/helpers/form_helper.rst b/user_guide_src/source/helpers/form_helper.rst index 015bf1162..02a758694 100644 --- a/user_guide_src/source/helpers/form_helper.rst +++ b/user_guide_src/source/helpers/form_helper.rst @@ -463,6 +463,26 @@ the tag. For example echo form_close($string); // Would produce: </form> </div></div> +form_prep() +=========== + +Allows you to safely use HTML and characters such as quotes within form +elements without breaking out of the form. Consider this example +:: + + $string = 'Here is a string containing "quoted" text.'; + <input type="text" name="myform" value="$string" /> + +Since the above string contains a set of quotes it will cause the form +to break. The ``form_prep()`` function converts HTML so that it can be used +safely:: + + <input type="text" name="myform" value="<?php echo form_prep($string); ?>" /> + +.. note:: If you use any of the form helper functions listed in this page the form + values will be prepped automatically, so there is no need to call this + function. Use it only if you are creating your own form elements. + set_value() =========== @@ -523,26 +543,4 @@ This function is identical to the **set_checkbox()** function above. .. note:: If you are using the Form Validation class, you must always specify a rule for your field, even if empty, in order for the set_*() functions to work. This is because if a Form Validation object is defined, the control for set_*() is handed over to a method of the class instead of the generic helper - function. - -Escaping field values -===================== - -You may need to use HTML and characters such as quotes within form -elements. In order to do that safely, you'll need to use -:doc:`common function <../general/common_functions>` ``html_escape()``. - -Consider the following example:: - - $string = 'Here is a string containing "quoted" text.'; - <input type="text" name="myform" value="$string" /> - -Since the above string contains a set of quotes it will cause the form -to break. The ``html_escape()`` function converts HTML so that it can be -used safely:: - - <input type="text" name="myform" value="<?php echo html_escape($string); ?>" /> - -.. note:: If you use any of the form helper functions listed in this page, the form - values will be prepped automatically, so there is no need to call this - function. Use it only if you are creating your own form elements.
\ No newline at end of file + function.
\ No newline at end of file diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 6d99f4655..fd5eea478 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -166,16 +166,6 @@ CodeIgniter 3.1+. .. note:: This function is still available, but you're strongly encouraged to remove it's usage sooner rather than later. -Form helper form_prep() -======================= - -:doc:`Form Helper <../helpers/form_helper>` function ``form_prep()`` is now just an alias for -:doc:`common function <../general/common_functions>` ``html_escape()`` and it's second argument -is ignored. It is deprecated and scheduled for removal in CodeIgniter 3.1+. - -.. note:: This function is still available, but you're strongly encouraged to remove it's usage sooner - rather than later. - Date helper standard_date() =========================== |