From 7c4d10660a0a47446474bf97e3cb65f80693f1ee Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@bofh.bg>
Date: Thu, 1 Nov 2012 15:14:34 +0200
Subject: Fix issue #1953 (form values being escaped twice)

Re-instaing an improved form_prep() function, reverting most of the changes from 74ffd17ab06327ca62ddfe28a186cae7ba6bd459.
---
 user_guide_src/source/changelog.rst                |  2 +-
 user_guide_src/source/helpers/form_helper.rst      | 44 +++++++++++-----------
 user_guide_src/source/installation/upgrade_300.rst | 10 -----
 3 files changed, 22 insertions(+), 34 deletions(-)

(limited to 'user_guide_src')

diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 4aef2a174..511ee00f6 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -77,7 +77,7 @@ Release Date: Not Released
    -  Added a work-around in ``force_download()`` for a bug Android <= 2.1, where the filename extension needs to be in uppercase.
    -  :doc:`Form Helper <helpers/form_helper>` changes include:
 	 - ``form_dropdown()`` will now also take an array for unity with other form helpers.
-	 - ``form_prep()`` is now **DEPRECATED** and only acts as an alias for :doc:`common function <general/common_functions>` ``html_escape()``.
+	 - ``form_prep()``'s second argument now only accepts a boolean value, which determines whether the value is escaped for a *textarea* or a regular *input* element.
    -  ``do_hash()`` now uses PHP's native ``hash()`` function (supporting more algorithms) and is deprecated.
    -  Removed previously deprecated helper function ``js_insert_smiley()`` from :doc:`Smiley Helper <helpers/smiley_helper>`.
    -  :doc:`File Helper <helpers/file_helper>` changes include:
diff --git a/user_guide_src/source/helpers/form_helper.rst b/user_guide_src/source/helpers/form_helper.rst
index 015bf1162..02a758694 100644
--- a/user_guide_src/source/helpers/form_helper.rst
+++ b/user_guide_src/source/helpers/form_helper.rst
@@ -463,6 +463,26 @@ the tag. For example
 	echo form_close($string);
 	// Would produce:  </form> </div></div>
 
+form_prep()
+===========
+
+Allows you to safely use HTML and characters such as quotes within form
+elements without breaking out of the form. Consider this example
+::
+
+	$string = 'Here is a string containing "quoted" text.';
+	<input type="text" name="myform" value="$string" />
+
+Since the above string contains a set of quotes it will cause the form
+to break. The ``form_prep()`` function converts HTML so that it can be used
+safely::
+
+	<input type="text" name="myform" value="<?php echo form_prep($string); ?>" />
+
+.. note:: If you use any of the form helper functions listed in this page the form
+	values will be prepped automatically, so there is no need to call this
+	function. Use it only if you are creating your own form elements.
+
 set_value()
 ===========
 
@@ -523,26 +543,4 @@ This function is identical to the **set_checkbox()** function above.
 .. note:: If you are using the Form Validation class, you must always specify a rule for your field,
 	even if empty, in order for the set_*() functions to work. This is because if a Form Validation object
 	is defined, the control for set_*() is handed over to a method of the class instead of the generic helper
-	function.
-
-Escaping field values
-=====================
-
-You may need to use HTML and characters such as quotes within form
-elements. In order to do that safely, you'll need to use
-:doc:`common function <../general/common_functions>` ``html_escape()``.
-
-Consider the following example::
-
-	$string = 'Here is a string containing "quoted" text.';
-	<input type="text" name="myform" value="$string" />
-
-Since the above string contains a set of quotes it will cause the form
-to break. The ``html_escape()`` function converts HTML so that it can be
-used safely::
-
-	<input type="text" name="myform" value="<?php echo html_escape($string); ?>" />
-
-.. note:: If you use any of the form helper functions listed in this page, the form
-	values will be prepped automatically, so there is no need to call this
-	function. Use it only if you are creating your own form elements.
\ No newline at end of file
+	function.
\ No newline at end of file
diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst
index 6d99f4655..fd5eea478 100644
--- a/user_guide_src/source/installation/upgrade_300.rst
+++ b/user_guide_src/source/installation/upgrade_300.rst
@@ -163,16 +163,6 @@ String helper repeater()
 PHP's native ``str_repeat()`` function. It is deprecated and scheduled for removal in
 CodeIgniter 3.1+.
 
-.. note:: This function is still available, but you're strongly encouraged to remove it's usage sooner
-	rather than later.
-
-Form helper form_prep()
-=======================
-
-:doc:`Form Helper <../helpers/form_helper>` function ``form_prep()`` is now just an alias for
-:doc:`common function <../general/common_functions>` ``html_escape()`` and it's second argument
-is ignored. It is deprecated and scheduled for removal in CodeIgniter 3.1+.
-
 .. note:: This function is still available, but you're strongly encouraged to remove it's usage sooner
 	rather than later.
 
-- 
cgit v1.2.3-24-g4f1b