diff options
| -rw-r--r-- | system/helpers/form_helper.php | 44 | ||||
| -rw-r--r-- | user_guide_src/source/changelog.rst | 2 | ||||
| -rw-r--r-- | user_guide_src/source/helpers/form_helper.rst | 85 | ||||
| -rw-r--r-- | user_guide_src/source/installation/upgrade_300.rst | 12 |
4 files changed, 79 insertions, 64 deletions
diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 0e9207ee2..007db4cab 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -100,7 +100,7 @@ if ( ! function_exists('form_open')) { foreach ($hidden as $name => $value) { - $form .= '<input type="hidden" name="'.$name.'" value="'.form_prep($value).'" style="display:none;" />'."\n"; + $form .= '<input type="hidden" name="'.$name.'" value="'.html_escape($value).'" style="display:none;" />'."\n"; } } @@ -173,7 +173,7 @@ if ( ! function_exists('form_hidden')) if ( ! is_array($value)) { - $form .= '<input type="hidden" name="'.$name.'" value="'.form_prep($value)."\" />\n"; + $form .= '<input type="hidden" name="'.$name.'" value="'.html_escape($value)."\" />\n"; } else { @@ -287,7 +287,7 @@ if ( ! function_exists('form_textarea')) unset($data['value']); // textareas don't use the value attribute } - return '<textarea '._parse_form_attributes($data, $defaults).$extra.'>'.form_prep($val, TRUE)."</textarea>\n"; + return '<textarea '._parse_form_attributes($data, $defaults).$extra.'>'.html_escape($val)."</textarea>\n"; } } @@ -392,7 +392,7 @@ if ( ! function_exists('form_dropdown')) foreach ($val as $optgroup_key => $optgroup_val) { $sel = in_array($optgroup_key, $selected) ? ' selected="selected"' : ''; - $form .= '<option value="'.form_prep($optgroup_key).'"'.$sel.'>' + $form .= '<option value="'.html_escape($optgroup_key).'"'.$sel.'>' .(string) $optgroup_val."</option>\n"; } @@ -400,7 +400,7 @@ if ( ! function_exists('form_dropdown')) } else { - $form .= '<option value="'.form_prep($key).'"' + $form .= '<option value="'.html_escape($key).'"' .(in_array($key, $selected) ? ' selected="selected"' : '').'>' .(string) $val."</option>\n"; } @@ -653,28 +653,13 @@ if ( ! function_exists('form_prep')) * * Formats text so that it can be safely placed in a form field in the event it has HTML tags. * + * @deprecated 3.0.0 An alias for html_escape() * @param string|string[] $str Value to escape - * @param bool $is_textarea Whether we're escaping for a textarea element * @return string|string[] Escaped values */ - function form_prep($str = '', $is_textarea = FALSE) + function form_prep($str) { - if (is_array($str)) - { - foreach (array_keys($str) as $key) - { - $str[$key] = form_prep($str[$key], $is_textarea); - } - - return $str; - } - - if ($is_textarea === TRUE) - { - return str_replace(array('<', '>'), array('<', '>'), stripslashes($str)); - } - - return str_replace(array("'", '"'), array(''', '"'), stripslashes($str)); + return html_escape($str, TRUE); } } @@ -691,10 +676,9 @@ if ( ! function_exists('set_value')) * * @param string $field Field name * @param string $default Default value - * @param bool $is_textarea Whether the field is a textarea element * @return string */ - function set_value($field = '', $default = '', $is_textarea = FALSE) + function set_value($field, $default = '') { $CI =& get_instance(); @@ -702,7 +686,7 @@ if ( ! function_exists('set_value')) ? $CI->form_validation->set_value($field, $default) : $CI->input->post($field, FALSE); - return form_prep($value === NULL ? $default : $value, $is_textarea); + return html_escape($value === NULL ? $default : $value); } } @@ -721,7 +705,7 @@ if ( ! function_exists('set_select')) * @param bool * @return string */ - function set_select($field = '', $value = '', $default = FALSE) + function set_select($field, $value = '', $default = FALSE) { $CI =& get_instance(); @@ -768,7 +752,7 @@ if ( ! function_exists('set_checkbox')) * @param bool * @return string */ - function set_checkbox($field = '', $value = '', $default = FALSE) + function set_checkbox($field, $value = '', $default = FALSE) { $CI =& get_instance(); @@ -815,7 +799,7 @@ if ( ! function_exists('set_radio')) * @param bool $default * @return string */ - function set_radio($field = '', $value = '', $default = FALSE) + function set_radio($field, $value = '', $default = FALSE) { $CI =& get_instance(); @@ -921,7 +905,7 @@ if ( ! function_exists('_parse_form_attributes')) { if ($key === 'value') { - $val = form_prep($val); + $val = html_escape($val); } elseif ($key === 'name' && ! strlen($default['name'])) { diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index aace0281f..e389d0a49 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -104,7 +104,7 @@ Release Date: Not Released - :doc:`Form Helper <helpers/form_helper>` changes include: - :func:`form_dropdown()` will now also take an array for unity with other form helpers. - - :func:`form_prep()`'s second argument now only accepts a boolean value, which determines whether the value is escaped for a <textarea> or a regular <input> element. + - :func:`form_prep()` is now DEPRECATED and only acts as an alias for :doc:`common function <general/common_functions>` :func:`html_escape()`. - :doc:`Security Helper <helpers/security_helper>` changes include: diff --git a/user_guide_src/source/helpers/form_helper.rst b/user_guide_src/source/helpers/form_helper.rst index 4fa5f246b..5af0d4014 100644 --- a/user_guide_src/source/helpers/form_helper.rst +++ b/user_guide_src/source/helpers/form_helper.rst @@ -19,6 +19,31 @@ This helper is loaded using the following code:: $this->load->helper('form'); +Escaping field values +===================== + +You may need to use HTML and characters such as quotes within your form +elements. In order to do that safely, you'll need to use +:doc:`common function <../general/common_functions>` +:func:`html_escape()`. + +Consider the following example:: + + $string = 'Here is a string containing "quoted" text.'; + + <input type="text" name="myfield" value="<?php echo $string; ?>" /> + +Since the above string contains a set of quotes, it will cause the form +to break. The :func:`html_escape()` function converts HTML special +characters so that it can be used safely:: + + <input type="text" name="myfield" value="<?php echo html_escape($string); ?>" /> + +.. note:: If you use any of the form helper functions listed on this page, + the form values will be automatically escaped, so there is no need + to call this function. Use it only if you are creating your own + form elements. + Available Functions =================== @@ -546,37 +571,10 @@ The following functions are available: // Would produce: </form> </div></div> -.. function:: form_prep([$str = ''[, $is_textarea = FALSE]]) - - :param string $str: Value to escape - :param bool $is_textarea: Whether we're preparing for <textarea> or a regular input tag - :returns: Escaped value - :rtype: string - - Allows you to safely use HTML and characters such as quotes within form - elements without breaking out of the form. - - Consider this example:: - - $string = 'Here is a string containing "quoted" text.'; - <input type="text" name="myform" value="$string" /> - - Since the above string contains a set of quotes it will cause the form - to break. The ``form_prep()`` function converts HTML so that it can be used - safely:: - - <input type="text" name="myform" value="<?php echo form_prep($string); ?>" /> - - .. note:: If you use any of the form helper functions listed in this page the form - values will be prepped automatically, so there is no need to call this - function. Use it only if you are creating your own form elements. - - -.. function:: set_value([$field = ''[, $default = ''[, $is_textarea = FALSE]]]) +.. function:: set_value($field[, $default = '']) :param string $field: Field name :param string $default: Default value - :param bool $is_textarea: Whether we're setting <textarea> content :returns: Field value :rtype: string @@ -587,12 +585,16 @@ The following functions are available: Example:: - <input type="text" name="quantity" value="<?=set_value('quantity', '0');?>" size="50" /> + <input type="text" name="quantity" value="<?php echo set_value('quantity', '0'); ?>" size="50" /> The above form will show "0" when loaded for the first time. + .. note:: Only use this function with raw HTML fields, as it + internally calls :func:`html_escape()` and combining its + usage with other form helper functions will result in + double HTML encoding! -.. function:: set_select([$field = ''[, $value = ''[, $default = FALSE]]]) +.. function:: set_select($field[, $value = ''[, $default = FALSE]]) :param string $field: Field name :param string $value: Value to check for @@ -615,7 +617,7 @@ The following functions are available: <option value="three" <?php echo set_select('myselect', 'three'); ?> >Three</option> </select> -.. function:: set_checkbox([$field = ''[, $value = ''[, $default = FALSE]]]) +.. function:: set_checkbox($field[, $value = ''[, $default = FALSE]]) :param string $field: Field name :param string $value: Value to check for @@ -634,7 +636,7 @@ The following functions are available: <input type="checkbox" name="mycheck" value="1" <?php echo set_checkbox('mycheck', '1'); ?> /> <input type="checkbox" name="mycheck" value="2" <?php echo set_checkbox('mycheck', '2'); ?> /> -.. function:: set_radio([$field = ''[, $value = ''[, $default = FALSE]]]) +.. function:: set_radio($field[, $value = ''[, $default = FALSE]]) :param string $field: Field name :param string $value: Value to check for @@ -699,4 +701,21 @@ The following functions are available: <span class="error">The "email" field doesn't contain a valid e-mail address!</span> <span class="error">The "password" field doesn't match the "repeat_password" field!</span> - */
\ No newline at end of file + */ + +.. function:: form_prep($str) + + :param string $str: Value to escape + :returns: Escaped value + :rtype: string + + Allows you to safely use HTML and characters such as quotes within form + elements without breaking out of the form. + + .. note:: If you use any of the form helper functions listed in this page the form + values will be prepped automatically, so there is no need to call this + function. Use it only if you are creating your own form elements. + + .. note:: This function is DEPRECATED and is just an alias for + :doc:`common function <../general/common_functions>` + :func:`html_escape()` - please use that instead.
\ No newline at end of file diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 3e6db390e..c62b28fa3 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -527,6 +527,18 @@ scheduled for removal in CodeIgniter 3.1+. .. note:: This function is still available, but you're strongly encouraged to remove its usage sooner rather than later. +Form helper form_prep() +======================= + +:doc:`Form Helper <../helpers/form_helper>` function :func:`form_prep()` +is now just an alias for :doc:`common function <common_functions>` +:func:`html_escape()`. It is deprecated and will be removed in the future. + +Please use :func:`html_escape()` instead. + +.. note:: This function is still available, but you're strongly encouraged + to remove its usage sooner rather than later. + Email helper functions ====================== |