From 7c4d10660a0a47446474bf97e3cb65f80693f1ee Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 1 Nov 2012 15:14:34 +0200 Subject: Fix issue #1953 (form values being escaped twice) Re-instaing an improved form_prep() function, reverting most of the changes from 74ffd17ab06327ca62ddfe28a186cae7ba6bd459. --- system/helpers/form_helper.php | 83 ++++++++++++---------- system/libraries/Form_validation.php | 10 +-- tests/codeigniter/helpers/form_helper_test.php | 15 ++++ user_guide_src/source/changelog.rst | 2 +- user_guide_src/source/helpers/form_helper.rst | 44 ++++++------ user_guide_src/source/installation/upgrade_300.rst | 10 --- 6 files changed, 88 insertions(+), 76 deletions(-) diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 622622c0e..9c4c4dae6 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -124,9 +124,9 @@ if ( ! function_exists('form_hidden')) * Generates hidden fields. You can pass a simple key/value string or * an associative array with multiple values. * - * @param mixed - * @param string - * @param bool + * @param mixed $name Field name + * @param string $value Field value + * @param bool $recursing * @return string */ function form_hidden($name, $value = '', $recursing = FALSE) @@ -149,7 +149,7 @@ if ( ! function_exists('form_hidden')) if ( ! is_array($value)) { - $form .= '\n"; + $form .= '\n"; } else { @@ -243,9 +243,9 @@ if ( ! function_exists('form_textarea')) /** * Textarea field * - * @param mixed - * @param string - * @param string + * @param mixed $data + * @param string $value + * @param string $extra * @return string */ function form_textarea($data = '', $value = '', $extra = '') @@ -263,7 +263,7 @@ if ( ! function_exists('form_textarea')) } $name = is_array($data) ? $data['name'] : $data; - return '\n"; + return '\n"; } } @@ -298,10 +298,10 @@ if ( ! function_exists('form_dropdown')) /** * Drop-down Menu * - * @param mixed $name = '' - * @param mixed $options = array() - * @param mixed $selected = array() - * @param mixed $extra = array() + * @param mixed $name + * @param mixed $options + * @param mixed $selected + * @param mixed $extra * @return string */ function form_dropdown($name = '', $options = array(), $selected = array(), $extra = '') @@ -349,7 +349,7 @@ if ( ! function_exists('form_dropdown')) foreach ($val as $optgroup_key => $optgroup_val) { $sel = in_array($optgroup_key, $selected) ? ' selected="selected"' : ''; - $form .= '\n"; } @@ -357,7 +357,7 @@ if ( ! function_exists('form_dropdown')) } else { - $form .= '\n"; } @@ -600,17 +600,28 @@ if ( ! function_exists('form_prep')) * * Formats text so that it can be safely placed in a form field in the event it has HTML tags. * - * @todo Remove in version 3.1+. - * @deprecated 3.0.0 This function has been broken for a long time - * and is now just an alias for html_escape(). It's - * second argument is ignored. - * @param string $str = '' - * @param string $field_name = '' - * @return string + * @param string|string[] $str Value to escape + * @param bool $is_textarea Whether we're escaping for a textarea element + * @return string|string[] Escaped values */ - function form_prep($str = '', $field_name = '') + function form_prep($str = '', $is_textarea = FALSE) { - return html_escape($str); + if (is_array($str)) + { + foreach (array_keys($str) as $key) + { + $str[$key] = form_prep($str[$key], $is_textarea); + } + + return $str; + } + + if ($is_textarea === TRUE) + { + return str_replace(array('<', '>'), array('<', '>'), stripslashes($str)); + } + + return str_replace(array("'", '"'), array(''', '"'), stripslashes($data)); } } @@ -625,23 +636,21 @@ if ( ! function_exists('set_value')) * re-populate an input field or textarea. If Form Validation * is active it retrieves the info from the validation class * - * @param string - * @param string - * @return mixed + * @param string $field Field name + * @param string $default Default value + * @param bool $is_textarea Whether the field is a textarea element + * @return string */ - function set_value($field = '', $default = '') + function set_value($field = '', $default = '', $is_textarea = FALSE) { if (FALSE === ($OBJ =& _get_validation_object())) { - if ( ! isset($_POST[$field])) - { - return html_escape($default); - } - - return html_escape($_POST[$field]); + return isset($_POST[$field]) + ? form_prep($_POST[$field], $is_textarea) + : form_prep($default, $is_textarea); } - return html_escape($OBJ->set_value($field, $default)); + return form_prep($OBJ->set_value($field, $default), $is_textarea); } } @@ -862,8 +871,8 @@ if ( ! function_exists('_parse_form_attributes')) * * Helper function used by some of the form helpers * - * @param array - * @param array + * @param array $attributes List of attributes + * @param array $default Default values * @return string */ function _parse_form_attributes($attributes, $default) @@ -891,7 +900,7 @@ if ( ! function_exists('_parse_form_attributes')) { if ($key === 'value') { - $val = html_escape($val); + $val = form_prep($val); } elseif ($key === 'name' && ! strlen($default['name'])) { diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php index c1bf51935..74dac7d29 100644 --- a/system/libraries/Form_validation.php +++ b/system/libraries/Form_validation.php @@ -1323,6 +1323,11 @@ class CI_Form_validation { */ public function prep_for_form($data = '') { + if ($this->_safe_form_data === FALSE OR empty($data)) + { + return $data; + } + if (is_array($data)) { foreach ($data as $key => $val) @@ -1333,11 +1338,6 @@ class CI_Form_validation { return $data; } - if ($this->_safe_form_data === FALSE OR $data === '') - { - return $data; - } - return str_replace(array("'", '"', '<', '>'), array(''', '"', '<', '>'), stripslashes($data)); } diff --git a/tests/codeigniter/helpers/form_helper_test.php b/tests/codeigniter/helpers/form_helper_test.php index 03278581d..89165271e 100644 --- a/tests/codeigniter/helpers/form_helper_test.php +++ b/tests/codeigniter/helpers/form_helper_test.php @@ -272,6 +272,21 @@ EOH; $this->assertEquals($expected, form_close('')); } + // ------------------------------------------------------------------------ + + public function test_form_prep() + { + $this->assertEquals( + 'Here is a string containing "quoted" text.', + form_prep('Here is a string containing "quoted" text.') + ); + + $this->assertEquals( + 'Here is a string containing a <tag>.', + form_prep('Here is a string containing a .', TRUE) + ); + } + } /* End of file form_helper_test.php */ \ No newline at end of file diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 4aef2a174..511ee00f6 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -77,7 +77,7 @@ Release Date: Not Released - Added a work-around in ``force_download()`` for a bug Android <= 2.1, where the filename extension needs to be in uppercase. - :doc:`Form Helper ` changes include: - ``form_dropdown()`` will now also take an array for unity with other form helpers. - - ``form_prep()`` is now **DEPRECATED** and only acts as an alias for :doc:`common function ` ``html_escape()``. + - ``form_prep()``'s second argument now only accepts a boolean value, which determines whether the value is escaped for a *textarea* or a regular *input* element. - ``do_hash()`` now uses PHP's native ``hash()`` function (supporting more algorithms) and is deprecated. - Removed previously deprecated helper function ``js_insert_smiley()`` from :doc:`Smiley Helper `. - :doc:`File Helper ` changes include: diff --git a/user_guide_src/source/helpers/form_helper.rst b/user_guide_src/source/helpers/form_helper.rst index 015bf1162..02a758694 100644 --- a/user_guide_src/source/helpers/form_helper.rst +++ b/user_guide_src/source/helpers/form_helper.rst @@ -463,6 +463,26 @@ the tag. For example echo form_close($string); // Would produce: +form_prep() +=========== + +Allows you to safely use HTML and characters such as quotes within form +elements without breaking out of the form. Consider this example +:: + + $string = 'Here is a string containing "quoted" text.'; + + +Since the above string contains a set of quotes it will cause the form +to break. The ``form_prep()`` function converts HTML so that it can be used +safely:: + + + +.. note:: If you use any of the form helper functions listed in this page the form + values will be prepped automatically, so there is no need to call this + function. Use it only if you are creating your own form elements. + set_value() =========== @@ -523,26 +543,4 @@ This function is identical to the **set_checkbox()** function above. .. note:: If you are using the Form Validation class, you must always specify a rule for your field, even if empty, in order for the set_*() functions to work. This is because if a Form Validation object is defined, the control for set_*() is handed over to a method of the class instead of the generic helper - function. - -Escaping field values -===================== - -You may need to use HTML and characters such as quotes within form -elements. In order to do that safely, you'll need to use -:doc:`common function <../general/common_functions>` ``html_escape()``. - -Consider the following example:: - - $string = 'Here is a string containing "quoted" text.'; - - -Since the above string contains a set of quotes it will cause the form -to break. The ``html_escape()`` function converts HTML so that it can be -used safely:: - - - -.. note:: If you use any of the form helper functions listed in this page, the form - values will be prepped automatically, so there is no need to call this - function. Use it only if you are creating your own form elements. \ No newline at end of file + function. \ No newline at end of file diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 6d99f4655..fd5eea478 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -163,16 +163,6 @@ String helper repeater() PHP's native ``str_repeat()`` function. It is deprecated and scheduled for removal in CodeIgniter 3.1+. -.. note:: This function is still available, but you're strongly encouraged to remove it's usage sooner - rather than later. - -Form helper form_prep() -======================= - -:doc:`Form Helper <../helpers/form_helper>` function ``form_prep()`` is now just an alias for -:doc:`common function <../general/common_functions>` ``html_escape()`` and it's second argument -is ignored. It is deprecated and scheduled for removal in CodeIgniter 3.1+. - .. note:: This function is still available, but you're strongly encouraged to remove it's usage sooner rather than later. -- cgit v1.2.3-24-g4f1b