From 11bf768f557e7c63f8702648705536773b37c9b8 Mon Sep 17 00:00:00 2001 From: Adrian Voicu Date: Thu, 5 Feb 2015 12:14:55 +0200 Subject: Allow not-escaping the value in set_value() Wouldn't it be a good idea to allow for not escaped html in set_value()? --- system/helpers/form_helper.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index fb235291e..f6d6b433e 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -676,17 +676,18 @@ if ( ! function_exists('set_value')) * * @param string $field Field name * @param string $default Default value + * @param bool $escaped Escaped value * @return string */ - function set_value($field, $default = '') + function set_value($field, $default = '',$escaped = TRUE) { $CI =& get_instance(); $value = (isset($CI->form_validation) && is_object($CI->form_validation) && $CI->form_validation->has_rule($field)) ? $CI->form_validation->set_value($field, $default) : $CI->input->post($field, FALSE); - - return html_escape($value === NULL ? $default : $value); + $value = ($value === NULL) ? $default : $value; + return $escaped ? html_escape($value) : $value; } } -- cgit v1.2.3-24-g4f1b From 86e6a19eaa1f994588beee2c47143c19c800c8ec Mon Sep 17 00:00:00 2001 From: Adrian Voicu Date: Thu, 5 Feb 2015 13:51:26 +0200 Subject: Update form_helper.php --- system/helpers/form_helper.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index f6d6b433e..dca4270f6 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -676,18 +676,19 @@ if ( ! function_exists('set_value')) * * @param string $field Field name * @param string $default Default value - * @param bool $escaped Escaped value + * @param bool $html_escape HTML escaped value * @return string */ - function set_value($field, $default = '',$escaped = TRUE) + function set_value($field, $default = '', $html_escape = TRUE) { $CI =& get_instance(); $value = (isset($CI->form_validation) && is_object($CI->form_validation) && $CI->form_validation->has_rule($field)) ? $CI->form_validation->set_value($field, $default) : $CI->input->post($field, FALSE); - $value = ($value === NULL) ? $default : $value; - return $escaped ? html_escape($value) : $value; + + isset($value) OR $value = $default; + return ($html_escape) ? html_escape($value) : $value; } } -- cgit v1.2.3-24-g4f1b From 92889dd094454ba592e084b4cc65e6cabbb948ab Mon Sep 17 00:00:00 2001 From: Adrian Voicu Date: Thu, 5 Feb 2015 15:15:46 +0200 Subject: update changelog for set_value() --- user_guide_src/source/changelog.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index a0c0de83f..5c5cd5e54 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -105,6 +105,7 @@ Release Date: Not Released - :php:func:`form_dropdown()` will now also take an array for unity with other form helpers. - :php:func:`form_prep()` is now DEPRECATED and only acts as an alias for :doc:`common function ` :php:func:`html_escape()`. + - :php:func:`set_value()` will now also accept a third argument, allowing to turn off HTML escaping of the value. - :doc:`Security Helper ` changes include: -- cgit v1.2.3-24-g4f1b From b47763adba672e2226d9bf236646c60535426b9d Mon Sep 17 00:00:00 2001 From: Adrian Voicu Date: Thu, 5 Feb 2015 15:16:32 +0200 Subject: Update form_helper.rst --- user_guide_src/source/helpers/form_helper.rst | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/user_guide_src/source/helpers/form_helper.rst b/user_guide_src/source/helpers/form_helper.rst index 15f5d7825..362c9c35d 100644 --- a/user_guide_src/source/helpers/form_helper.rst +++ b/user_guide_src/source/helpers/form_helper.rst @@ -581,7 +581,9 @@ The following functions are available: Permits you to set the value of an input form or textarea. You must supply the field name via the first parameter of the function. The second (optional) parameter allows you to set a default value for the - form. + form. The third (optional) parameter allows you to turn off HTML escaping + of the value, in case you need to use this function in combination with + i.e. :php:func:`form_input()` and avoid double-escaping. Example:: @@ -589,11 +591,7 @@ The following functions are available: The above form will show "0" when loaded for the first time. - .. note:: Only use this function with raw HTML fields, as it - internally calls :php:func:`html_escape()` and combining its - usage with other form helper functions will result in - double HTML encoding! - + .. php:function:: set_select($field[, $value = ''[, $default = FALSE]]) :param string $field: Field name @@ -718,4 +716,4 @@ The following functions are available: .. note:: This function is DEPRECATED and is just an alias for :doc:`common function <../general/common_functions>` - :func:`html_escape()` - please use that instead. \ No newline at end of file + :func:`html_escape()` - please use that instead. -- cgit v1.2.3-24-g4f1b From fa61fb236654fbd3eea82d437da28c9aab33e559 Mon Sep 17 00:00:00 2001 From: Adrian Voicu Date: Thu, 5 Feb 2015 15:46:12 +0200 Subject: Update form_helper.php --- system/helpers/form_helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index dca4270f6..70c40a9c3 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -676,7 +676,7 @@ if ( ! function_exists('set_value')) * * @param string $field Field name * @param string $default Default value - * @param bool $html_escape HTML escaped value + * @param bool $html_escape Whether to escape HTML special characters or not * @return string */ function set_value($field, $default = '', $html_escape = TRUE) -- cgit v1.2.3-24-g4f1b