diff options
| -rw-r--r-- | system/helpers/form_helper.php | 20 | ||||
| -rw-r--r-- | user_guide_src/source/changelog.rst | 1 |
2 files changed, 11 insertions, 10 deletions
diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index d81bb7c08..a09cb36dd 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -298,10 +298,10 @@ if ( ! function_exists('form_dropdown')) /** * Drop-down Menu * - * @param string - * @param array - * @param string - * @param string + * @param mixed $name = '' + * @param mixed $options = array() + * @param mixed $selected = array() + * @param mixed $extra = array() * @return string */ function form_dropdown($name = '', $options = array(), $selected = array(), $extra = '') @@ -316,10 +316,7 @@ if ( ! function_exists('form_dropdown')) return form_dropdown($name['name'], $name['options'], $name['selected'], $name['extra']); } - if ( ! is_array($selected)) - { - $selected = array($selected); - } + is_array($selected) OR $selected = array($selected); // If no selected state was submitted we will attempt to set it automatically if (count($selected) === 0 && isset($_POST[$name])) @@ -352,14 +349,17 @@ if ( ! function_exists('form_dropdown')) foreach ($val as $optgroup_key => $optgroup_val) { $sel = in_array($optgroup_key, $selected) ? ' selected="selected"' : ''; - $form .= '<option value="'.$optgroup_key.'"'.$sel.'>'.(string) $optgroup_val."</option>\n"; + $form .= '<option value="'.html_escape($optgroup_key).'"'.$sel.'>' + .(string) $optgroup_val."</option>\n"; } $form .= "</optgroup>\n"; } else { - $form .= '<option value="'.$key.'"'.(in_array($key, $selected) ? ' selected="selected"' : '').'>'.(string) $val."</option>\n"; + $form .= '<option value="'.html_escape($key).'"' + .(in_array($key, $selected) ? ' selected="selected"' : '').'>' + .(string) $val."</option>\n"; } } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 54338f3ee..5b24dc276 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -390,6 +390,7 @@ Bug fixes for 3.0 - Fixed a bug (#59) - :doc:`Query Builder <database/query_builder>` method ``count_all_results()`` ignored the DISTINCT clause. - Fixed a bug (#1624) - :doc:`Form Validation Library <libraries/form_validation>` rule **matches** didn't property handle array field names. - Fixed a bug (#1630) - :doc:`Form Helper <helpers/form_helper>` function ``set_value()`` didn't escape HTML entities. +- Fixed a bug (#142) - :doc:`Form Helper <helpers/form_helper>` function ``form_dropdown()`` didn't escape HTML entities in option values. Version 2.1.3 ============= |