6 files changed, 50 insertions, 81 deletions
diff --git a/system/helpers/date_helper.php b/system/helpers/date_helper.php
index 51b2b76db..5d9251526 100644
--- a/system/helpers/date_helper.php
+++ b/system/helpers/date_helper.php
@@ -119,19 +119,16 @@ if ( ! function_exists('standard_date'))
 	 *
 	 * As of PHP 5.2, the DateTime extension provides constants that
 	 * serve for the exact same purpose and are used with date().
-	 * Due to that, this function is DEPRECATED and should be removed
-	 * in CodeIgniter 3.1+.
 	 *
-	 * Here are two examples of how you should replace it:
+	 * @todo	Remove in version 3.1+.
+	 * @deprecated	3.0.0	Use PHP's native date() instead.
+	 * @link	http://www.php.net/manual/en/class.datetime.php#datetime.constants.types
 	 *
-	 *	date(DATE_RFC822, now()); // default
-	 *	date(DATE_W3C, $time); // a different format and time
+	 * @example	date(DATE_RFC822, now()); // default
+	 * @example	date(DATE_W3C, $time); // a different format and time
 	 *
-	 * Reference: http://www.php.net/manual/en/class.datetime.php#datetime.constants.types
-	 *
-	 * @deprecated
-	 * @param	string	the chosen format
-	 * @param	int	Unix timestamp
+	 * @param	string	$fmt = 'DATE_RFC822'	the chosen format
+	 * @param	int	$time = NULL		Unix timestamp
 	 * @return	string
 	 */
 	function standard_date($fmt = 'DATE_RFC822', $time = NULL)
diff --git a/system/helpers/file_helper.php b/system/helpers/file_helper.php
index 441345b05..8f23a3d54 100644
--- a/system/helpers/file_helper.php
+++ b/system/helpers/file_helper.php
@@ -44,12 +44,10 @@ if ( ! function_exists('read_file'))
 	 *
 	 * Opens the file specfied in the path and returns it as a string.
 	 *
-	 * This function is DEPRECATED and should be removed in
-	 * CodeIgniter 3.1+. Use file_get_contents() instead.
-	 *
-	 * @deprecated
-	 * @param	string	path to file
-	 * @return	string
+	 * @todo	Remove in version 3.1+.
+	 * @deprecated	3.0.0	It is now just an alias for PHP's native file_get_contents().
+	 * @param	string	$file	Path to file
+	 * @return	string	File contents
 	 */
 	function read_file($file)
 	{
diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php
index 1bccac35c..622622c0e 100644
--- a/system/helpers/form_helper.php
+++ b/system/helpers/form_helper.php
@@ -149,7 +149,7 @@ if ( ! function_exists('form_hidden'))
 
 		if ( ! is_array($value))
 		{
-			$form .= '<input type="hidden" name="'.$name.'" value="'.form_prep($value, $name)."\" />\n";
+			$form .= '<input type="hidden" name="'.$name.'" value="'.html_escape($value)."\" />\n";
 		}
 		else
 		{
@@ -263,7 +263,7 @@ if ( ! function_exists('form_textarea'))
 		}
 
 		$name = is_array($data) ? $data['name'] : $data;
-		return '<textarea '._parse_form_attributes($data, $defaults).$extra.'>'.form_prep($val, $name)."</textarea>\n";
+		return '<textarea '._parse_form_attributes($data, $defaults).$extra.'>'.html_escape($val)."</textarea>\n";
 	}
 }
 
@@ -298,10 +298,10 @@ if ( ! function_exists('form_dropdown'))
 	/**
 	 * Drop-down Menu
 	 *
-	 * @param	string
-	 * @param	array
-	 * @param	string
-	 * @param	string
+	 * @param	mixed	$name = ''
+	 * @param	mixed	$options = array()
+	 * @param	mixed	$selected = array()
+	 * @param	mixed	$extra = array()
 	 * @return	string
 	 */
 	function form_dropdown($name = '', $options = array(), $selected = array(), $extra = '')
@@ -316,10 +316,7 @@ if ( ! function_exists('form_dropdown'))
 			return form_dropdown($name['name'], $name['options'], $name['selected'], $name['extra']);
 		}
 
-		if ( ! is_array($selected))
-		{
-			$selected = array($selected);
-		}
+		is_array($selected) OR $selected = array($selected);
 
 		// If no selected state was submitted we will attempt to set it automatically
 		if (count($selected) === 0 && isset($_POST[$name]))
@@ -352,14 +349,17 @@ if ( ! function_exists('form_dropdown'))
 				foreach ($val as $optgroup_key => $optgroup_val)
 				{
 					$sel = in_array($optgroup_key, $selected) ? ' selected="selected"' : '';
-					$form .= '<option value="'.$optgroup_key.'"'.$sel.'>'.(string) $optgroup_val."</option>\n";
+					$form .= '<option value="'.html_escape($optgroup_key).'"'.$sel.'>'
+						.(string) $optgroup_val."</option>\n";
 				}
 
 				$form .= "</optgroup>\n";
 			}
 			else
 			{
-				$form .= '<option value="'.$key.'"'.(in_array($key, $selected) ? ' selected="selected"' : '').'>'.(string) $val."</option>\n";
+				$form .= '<option value="'.html_escape($key).'"'
+					.(in_array($key, $selected) ? ' selected="selected"' : '').'>'
+					.(string) $val."</option>\n";
 			}
 		}
 
@@ -600,44 +600,16 @@ if ( ! function_exists('form_prep'))
 	 *
 	 * Formats text so that it can be safely placed in a form field in the event it has HTML tags.
 	 *
-	 * @param	string
-	 * @param	string
+	 * @todo	Remove in version 3.1+.
+	 * @deprecated	3.0.0	This function has been broken for a long time
+	 *			and is now just an alias for html_escape(). It's
+	 *			second argument is ignored.
+	 * @param	string	$str = ''
+	 * @param	string	$field_name = ''
 	 * @return	string
 	 */
 	function form_prep($str = '', $field_name = '')
 	{
-		static $prepped_fields = array();
-
-		// if the field name is an array we do this recursively
-		if (is_array($str))
-		{
-			foreach ($str as $key => $val)
-			{
-				$str[$key] = form_prep($val);
-			}
-
-			return $str;
-		}
-
-		if ($str === '')
-		{
-			return '';
-		}
-
-		// we've already prepped a field with this name
-		// @todo need to figure out a way to namespace this so
-		// that we know the *exact* field and not just one with
-		// the same name
-		if (isset($prepped_fields[$field_name]))
-		{
-			return $str;
-		}
-
-		if ($field_name !== '')
-		{
-			$prepped_fields[$field_name] = $field_name;
-		}
-
 		return html_escape($str);
 	}
 }
@@ -663,13 +635,13 @@ if ( ! function_exists('set_value'))
 		{
 			if ( ! isset($_POST[$field]))
 			{
-				return $default;
+				return html_escape($default);
 			}
 
-			return form_prep($_POST[$field], $field);
+			return html_escape($_POST[$field]);
 		}
 
-		return form_prep($OBJ->set_value($field, $default), $field);
+		return html_escape($OBJ->set_value($field, $default));
 	}
 }
 
@@ -919,7 +891,11 @@ if ( ! function_exists('_parse_form_attributes'))
 		{
 			if ($key === 'value')
 			{
-				$val = form_prep($val, $default['name']);
+				$val = html_escape($val);
+			}
+			elseif ($key === 'name' && ! strlen($default['name']))
+			{
+				continue;
 			}
 
 			$att .= $key.'="'.$val.'" ';
diff --git a/system/helpers/security_helper.php b/system/helpers/security_helper.php
index 5ecc960bc..8bbd06684 100644
--- a/system/helpers/security_helper.php
+++ b/system/helpers/security_helper.php
@@ -77,12 +77,10 @@ if ( ! function_exists('do_hash'))
 	/**
 	 * Hash encode a string
 	 *
-	 * This function is DEPRECATED and should be removed in
-	 * CodeIgniter 3.1+. Use hash() instead.
-	 *
-	 * @deprecated
-	 * @param	string
-	 * @param	string
+	 * @todo	Remove in version 3.1+.
+	 * @deprecated	3.0.0	Use PHP's native hash() instead.
+	 * @param	string	$str
+	 * @param	string	$type = 'sha1'
 	 * @return	string
 	 */
 	function do_hash($str, $type = 'sha1')
diff --git a/system/helpers/string_helper.php b/system/helpers/string_helper.php
index 4eee2a262..c5c493452 100644
--- a/system/helpers/string_helper.php
+++ b/system/helpers/string_helper.php
@@ -276,8 +276,11 @@ if ( ! function_exists('repeater'))
 	/**
 	 * Repeater function
 	 *
-	 * @param	string
-	 * @param	int	number of repeats
+	 * @todo	Remove in version 3.1+.
+	 * @deprecated	3.0.0	This is just an alias for PHP's native str_repeat()
+	 *
+	 * @param	string	$data	String to repeat
+	 * @param	int	$num	Number of repeats
 	 * @return	string
 	 */
 	function repeater($data, $num = 1)
diff --git a/system/helpers/text_helper.php b/system/helpers/text_helper.php
index 016a36c57..89602fc28 100644
--- a/system/helpers/text_helper.php
+++ b/system/helpers/text_helper.php
@@ -118,18 +118,15 @@ if ( ! function_exists('ascii_to_entities'))
 	/**
 	 * High ASCII to Entities
 	 *
-	 * Converts High ascii text and MS Word special characters to character entities
+	 * Converts high ASCII text and MS Word special characters to character entities
 	 *
-	 * @param	string
+	 * @param	string	$str
 	 * @return	string
 	 */
 	function ascii_to_entities($str)
 	{
-		$count	= 1;
-		$out	= '';
-		$temp	= array();
-
-		for ($i = 0, $s = strlen($str); $i < $s; $i++)
+		$out = '';
+		for ($i = 0, $s = strlen($str), $count = 1, $temp = array(); $i < $s; $i++)
 		{
 			$ordinal = ord($str[$i]);