From 0139e6a4a99cbe9b0cc06f394fa12d5691193b72 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 4 Nov 2015 22:42:17 +0200 Subject: [ci skip] Fix a false default-fallback bug in set_checkbox(), set_radio() Relevant: #4210 --- system/helpers/form_helper.php | 41 +++++++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 8 deletions(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index fd807769a..37dafd913 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -769,12 +769,11 @@ if ( ! function_exists('set_checkbox')) { return $CI->form_validation->set_checkbox($field, $value, $default); } - elseif (($input = $CI->input->post($field, FALSE)) === NULL) - { - return ($default === TRUE) ? ' checked="checked"' : ''; - } + // Form inputs are always strings ... $value = (string) $value; + $input = $CI->input->post($field, FALSE); + if (is_array($input)) { // Note: in_array('', array(0)) returns TRUE, do not use it @@ -789,7 +788,13 @@ if ( ! function_exists('set_checkbox')) return ''; } - return ($input === $value) ? ' checked="checked"' : ''; + // Unchecked checkbox and radio inputs are not even submitted by browsers ... + if ($CI->input->method() === 'post') + { + return ($input === 'value') ? ' checked="checked"' : ''; + } + + return ($default === TRUE) ? ' checked="checked"' : ''; } } @@ -816,12 +821,32 @@ if ( ! function_exists('set_radio')) { return $CI->form_validation->set_radio($field, $value, $default); } - elseif (($input = $CI->input->post($field, FALSE)) === NULL) + + // Form inputs are always strings ... + $value = (string) $value; + $input = $CI->input->post($field, FALSE); + + if (is_array($input)) + { + // Note: in_array('', array(0)) returns TRUE, do not use it + foreach ($input as &$v) + { + if ($value === $v) + { + return ' checked="checked"'; + } + } + + return ''; + } + + // Unchecked checkbox and radio inputs are not even submitted by browsers ... + if ($CI->input->method() === 'post') { - return ($default === TRUE) ? ' checked="checked"' : ''; + return ($input === 'value') ? ' checked="checked"' : ''; } - return ($input === (string) $value) ? ' checked="checked"' : ''; + return ($default === TRUE) ? ' checked="checked"' : ''; } } -- cgit v1.2.3-24-g4f1b From 125ef4751080a2118cb203357d77687699e3eb25 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 11 Jan 2016 12:33:00 +0200 Subject: [ci skip] Bump year to 2016 --- system/helpers/form_helper.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 37dafd913..badf7773d 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -6,7 +6,7 @@ * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014 - 2015, British Columbia Institute of Technology + * Copyright (c) 2014 - 2016, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) - * @copyright Copyright (c) 2014 - 2015, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link http://codeigniter.com * @since Version 1.0.0 -- cgit v1.2.3-24-g4f1b From bd202c91b0e9cf0a8c93bcaa71df9574f5909346 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 11 Jan 2016 12:50:18 +0200 Subject: [ci skip] Update codeigniter.com links to https --- system/helpers/form_helper.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index badf7773d..1624bded0 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -31,7 +31,7 @@ * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License - * @link http://codeigniter.com + * @link https://codeigniter.com * @since Version 1.0.0 * @filesource */ @@ -44,7 +44,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Helpers * @category Helpers * @author EllisLab Dev Team - * @link http://codeigniter.com/user_guide/helpers/form_helper.html + * @link https://codeigniter.com/user_guide/helpers/form_helper.html */ // ------------------------------------------------------------------------ -- cgit v1.2.3-24-g4f1b From 1924e879b165fb119847a49a7a5eab2f28295fa2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 11 Jan 2016 12:55:34 +0200 Subject: [ci skip] Update ellislab.com links to https too --- system/helpers/form_helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 1624bded0..04778b084 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -28,7 +28,7 @@ * * @package CodeIgniter * @author EllisLab Dev Team - * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) + * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link https://codeigniter.com -- cgit v1.2.3-24-g4f1b From 0b59bdd3cd647b44c83e746a5d3d3aa179325df4 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 29 Jan 2016 01:18:08 +0200 Subject: Fix a regression in Form helper caused by 0139e6a4a99cbe9b0cc06f394fa12d5691193b72 --- system/helpers/form_helper.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 04778b084..3e1039525 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -791,7 +791,7 @@ if ( ! function_exists('set_checkbox')) // Unchecked checkbox and radio inputs are not even submitted by browsers ... if ($CI->input->method() === 'post') { - return ($input === 'value') ? ' checked="checked"' : ''; + return ($input === $value) ? ' checked="checked"' : ''; } return ($default === TRUE) ? ' checked="checked"' : ''; @@ -843,7 +843,7 @@ if ( ! function_exists('set_radio')) // Unchecked checkbox and radio inputs are not even submitted by browsers ... if ($CI->input->method() === 'post') { - return ($input === 'value') ? ' checked="checked"' : ''; + return ($input === $value) ? ' checked="checked"' : ''; } return ($default === TRUE) ? ' checked="checked"' : ''; -- cgit v1.2.3-24-g4f1b From cadcef85a218595b5999442d669086bdb5628947 Mon Sep 17 00:00:00 2001 From: Kasim Tan Date: Thu, 19 May 2016 12:06:07 -0700 Subject: Fixed PHPDoc parameter name and type discrepancies --- system/helpers/form_helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 3e1039525..dfb9ae2d2 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -568,7 +568,7 @@ if ( ! function_exists('form_label')) * * @param string The text to appear onscreen * @param string The id the label applies to - * @param string Additional attributes + * @param array Additional attributes * @return string */ function form_label($label_text = '', $id = '', $attributes = array()) -- cgit v1.2.3-24-g4f1b From e1b9495b7b1b55c8dfd6b602e35b6d5c269c0a90 Mon Sep 17 00:00:00 2001 From: Kasim Tan Date: Fri, 20 May 2016 07:16:14 -0700 Subject: Removed an extra space char --- system/helpers/form_helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index dfb9ae2d2..8825ecc2c 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -568,7 +568,7 @@ if ( ! function_exists('form_label')) * * @param string The text to appear onscreen * @param string The id the label applies to - * @param array Additional attributes + * @param array Additional attributes * @return string */ function form_label($label_text = '', $id = '', $attributes = array()) -- cgit v1.2.3-24-g4f1b From e13fa9fdb3f2e311bd7331e49b26889f24bc81cb Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 20 May 2016 17:30:07 +0300 Subject: Merge pull request #4638 from kasimtan/phpdoc_fixes [ci skip] Fixed PHPDoc parameter name and type discrepancies --- system/helpers/form_helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 3e1039525..8825ecc2c 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -568,7 +568,7 @@ if ( ! function_exists('form_label')) * * @param string The text to appear onscreen * @param string The id the label applies to - * @param string Additional attributes + * @param array Additional attributes * @return string */ function form_label($label_text = '', $id = '', $attributes = array()) -- cgit v1.2.3-24-g4f1b From 8d684c23364f2fd28700e0a5ae2e90dd7fab61fe Mon Sep 17 00:00:00 2001 From: Edwin Smulders Date: Tue, 27 Sep 2016 11:02:39 +0200 Subject: Remove inline styles from hidden form input This change fixes console errors when using a CSP header that disables inline styles. --- system/helpers/form_helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 8825ecc2c..aa7379f77 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -100,7 +100,7 @@ if ( ! function_exists('form_open')) { foreach ($hidden as $name => $value) { - $form .= ''."\n"; + $form .= ''."\n"; } } -- cgit v1.2.3-24-g4f1b From 7a49c0b0f12121be39001a13a97bd608f6a30a7a Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 27 Sep 2016 14:00:26 +0300 Subject: Merge pull request #4810 from Dutchy-/patch-1 Remove inline style from form_open() hidden fields --- system/helpers/form_helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 8825ecc2c..aa7379f77 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -100,7 +100,7 @@ if ( ! function_exists('form_open')) { foreach ($hidden as $name => $value) { - $form .= ''."\n"; + $form .= ''."\n"; } } -- cgit v1.2.3-24-g4f1b From 37c4cc599698da0634d620665491fc27e9a36beb Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 1 Dec 2016 15:33:42 +0200 Subject: Remove previously deprecated Form Helper function form_prep() --- system/helpers/form_helper.php | 19 ------------------- 1 file changed, 19 deletions(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index aa7379f77..9756437ae 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -653,25 +653,6 @@ if ( ! function_exists('form_close')) // ------------------------------------------------------------------------ -if ( ! function_exists('form_prep')) -{ - /** - * Form Prep - * - * Formats text so that it can be safely placed in a form field in the event it has HTML tags. - * - * @deprecated 3.0.0 An alias for html_escape() - * @param string|string[] $str Value to escape - * @return string|string[] Escaped values - */ - function form_prep($str) - { - return html_escape($str, TRUE); - } -} - -// ------------------------------------------------------------------------ - if ( ! function_exists('set_value')) { /** -- cgit v1.2.3-24-g4f1b From a299f56629c764afd8909c90ca3bb36625e84109 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 14 Dec 2016 14:09:27 +0200 Subject: Remove dead parameter from form_upload() Close #3558 --- system/helpers/form_helper.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 9756437ae..496fc1055 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -244,11 +244,10 @@ if ( ! function_exists('form_upload')) * Identical to the input function but adds the "file" type * * @param mixed - * @param string * @param mixed * @return string */ - function form_upload($data = '', $value = '', $extra = '') + function form_upload($data = '', $extra = '') { $defaults = array('type' => 'file', 'name' => ''); is_array($data) OR $data = array('name' => $data); -- cgit v1.2.3-24-g4f1b From fced25f5728ce81fe810216fcaa4ccec7523f6c9 Mon Sep 17 00:00:00 2001 From: Master Yoda Date: Sat, 31 Dec 2016 08:46:18 -0800 Subject: Update copyright data to 2017 --- system/helpers/form_helper.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 496fc1055..9844c752a 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -6,7 +6,7 @@ * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014 - 2016, British Columbia Institute of Technology + * Copyright (c) 2014 - 2017, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) - * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2017, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link https://codeigniter.com * @since Version 1.0.0 -- cgit v1.2.3-24-g4f1b From da60e9bc66ec90970fbd2dfd08b0a6e66b9f5f5f Mon Sep 17 00:00:00 2001 From: Master Yoda Date: Sat, 31 Dec 2016 08:46:18 -0800 Subject: Update copyright data to 2017 --- system/helpers/form_helper.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index aa7379f77..fc7d2a6a0 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -6,7 +6,7 @@ * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014 - 2016, British Columbia Institute of Technology + * Copyright (c) 2014 - 2017, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) - * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2017, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link https://codeigniter.com * @since Version 1.0.0 -- cgit v1.2.3-24-g4f1b From cfd52edad6a4ae84b0c34755455b5b7b164878be Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 4 Jan 2017 16:58:08 +0200 Subject: [ci skip] Try to mitigate BREACH attacks against CSRF tokens --- system/helpers/form_helper.php | 41 +++++++++++++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 6 deletions(-) (limited to 'system/helpers/form_helper.php') diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index fc7d2a6a0..a49eea803 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -90,12 +90,6 @@ if ( ! function_exists('form_open')) $form = '
\n"; - // Add CSRF field if enabled, but leave it out for GET requests and requests to external websites - if ($CI->config->item('csrf_protection') === TRUE && strpos($action, $CI->config->base_url()) !== FALSE && ! stripos($form, 'method="get"')) - { - $hidden[$CI->security->get_csrf_token_name()] = $CI->security->get_csrf_hash(); - } - if (is_array($hidden)) { foreach ($hidden as $name => $value) @@ -104,6 +98,41 @@ if ( ! function_exists('form_open')) } } + // Add CSRF field if enabled, but leave it out for GET requests and requests to external websites + if ($CI->config->item('csrf_protection') === TRUE && strpos($action, $CI->config->base_url()) !== FALSE && ! stripos($form, 'method="get"')) + { + // Prepend/append random-length "white noise" around the CSRF + // token input, as a form of protection against BREACH attacks + if (FALSE !== ($noise = $CI->security->get_random_bytes(1))) + { + list(, $noise) = unpack('c', $noise); + } + else + { + $noise = mt_rand(-128, 127); + } + + // Prepend if $noise has a negative value, append if positive, do nothing for zero + $prepend = $append = ''; + if ($noise < 0) + { + $prepend = str_repeat(" ", abs($noise)); + } + elseif ($noise > 0) + { + $append = str_repeat(" ", $noise); + } + + $form .= sprintf( + '%s%s%s', + $prepend, + $CI->security->get_csrf_token_name(), + $CI->security->get_csrf_hash(), + $append, + "\n" + ); + } + return $form; } } -- cgit v1.2.3-24-g4f1b