Revert 7c4d10660a0a47446474bf97e3cb65f80693f1ee
Deprecates form_prep() in favor of html_escape() (again).
Related: issue #1953, which was the reason for the reverted commit,
but was wrongly interpreted and that shouldn't have happened.
Close #2477
diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php
index 0e9207e..007db4c 100644
--- a/system/helpers/form_helper.php
+++ b/system/helpers/form_helper.php
@@ -100,7 +100,7 @@
{
foreach ($hidden as $name => $value)
{
- $form .= '<input type="hidden" name="'.$name.'" value="'.form_prep($value).'" style="display:none;" />'."\n";
+ $form .= '<input type="hidden" name="'.$name.'" value="'.html_escape($value).'" style="display:none;" />'."\n";
}
}
@@ -173,7 +173,7 @@
if ( ! is_array($value))
{
- $form .= '<input type="hidden" name="'.$name.'" value="'.form_prep($value)."\" />\n";
+ $form .= '<input type="hidden" name="'.$name.'" value="'.html_escape($value)."\" />\n";
}
else
{
@@ -287,7 +287,7 @@
unset($data['value']); // textareas don't use the value attribute
}
- return '<textarea '._parse_form_attributes($data, $defaults).$extra.'>'.form_prep($val, TRUE)."</textarea>\n";
+ return '<textarea '._parse_form_attributes($data, $defaults).$extra.'>'.html_escape($val)."</textarea>\n";
}
}
@@ -392,7 +392,7 @@
foreach ($val as $optgroup_key => $optgroup_val)
{
$sel = in_array($optgroup_key, $selected) ? ' selected="selected"' : '';
- $form .= '<option value="'.form_prep($optgroup_key).'"'.$sel.'>'
+ $form .= '<option value="'.html_escape($optgroup_key).'"'.$sel.'>'
.(string) $optgroup_val."</option>\n";
}
@@ -400,7 +400,7 @@
}
else
{
- $form .= '<option value="'.form_prep($key).'"'
+ $form .= '<option value="'.html_escape($key).'"'
.(in_array($key, $selected) ? ' selected="selected"' : '').'>'
.(string) $val."</option>\n";
}
@@ -653,28 +653,13 @@
*
* Formats text so that it can be safely placed in a form field in the event it has HTML tags.
*
+ * @deprecated 3.0.0 An alias for html_escape()
* @param string|string[] $str Value to escape
- * @param bool $is_textarea Whether we're escaping for a textarea element
* @return string|string[] Escaped values
*/
- function form_prep($str = '', $is_textarea = FALSE)
+ function form_prep($str)
{
- if (is_array($str))
- {
- foreach (array_keys($str) as $key)
- {
- $str[$key] = form_prep($str[$key], $is_textarea);
- }
-
- return $str;
- }
-
- if ($is_textarea === TRUE)
- {
- return str_replace(array('<', '>'), array('<', '>'), stripslashes($str));
- }
-
- return str_replace(array("'", '"'), array(''', '"'), stripslashes($str));
+ return html_escape($str, TRUE);
}
}
@@ -691,10 +676,9 @@
*
* @param string $field Field name
* @param string $default Default value
- * @param bool $is_textarea Whether the field is a textarea element
* @return string
*/
- function set_value($field = '', $default = '', $is_textarea = FALSE)
+ function set_value($field, $default = '')
{
$CI =& get_instance();
@@ -702,7 +686,7 @@
? $CI->form_validation->set_value($field, $default)
: $CI->input->post($field, FALSE);
- return form_prep($value === NULL ? $default : $value, $is_textarea);
+ return html_escape($value === NULL ? $default : $value);
}
}
@@ -721,7 +705,7 @@
* @param bool
* @return string
*/
- function set_select($field = '', $value = '', $default = FALSE)
+ function set_select($field, $value = '', $default = FALSE)
{
$CI =& get_instance();
@@ -768,7 +752,7 @@
* @param bool
* @return string
*/
- function set_checkbox($field = '', $value = '', $default = FALSE)
+ function set_checkbox($field, $value = '', $default = FALSE)
{
$CI =& get_instance();
@@ -815,7 +799,7 @@
* @param bool $default
* @return string
*/
- function set_radio($field = '', $value = '', $default = FALSE)
+ function set_radio($field, $value = '', $default = FALSE)
{
$CI =& get_instance();
@@ -921,7 +905,7 @@
{
if ($key === 'value')
{
- $val = form_prep($val);
+ $val = html_escape($val);
}
elseif ($key === 'name' && ! strlen($default['name']))
{
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index aace028..e389d0a 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -104,7 +104,7 @@
- :doc:`Form Helper <helpers/form_helper>` changes include:
- :func:`form_dropdown()` will now also take an array for unity with other form helpers.
- - :func:`form_prep()`'s second argument now only accepts a boolean value, which determines whether the value is escaped for a <textarea> or a regular <input> element.
+ - :func:`form_prep()` is now DEPRECATED and only acts as an alias for :doc:`common function <general/common_functions>` :func:`html_escape()`.
- :doc:`Security Helper <helpers/security_helper>` changes include:
diff --git a/user_guide_src/source/helpers/form_helper.rst b/user_guide_src/source/helpers/form_helper.rst
index 4fa5f24..5af0d40 100644
--- a/user_guide_src/source/helpers/form_helper.rst
+++ b/user_guide_src/source/helpers/form_helper.rst
@@ -19,6 +19,31 @@
$this->load->helper('form');
+Escaping field values
+=====================
+
+You may need to use HTML and characters such as quotes within your form
+elements. In order to do that safely, you'll need to use
+:doc:`common function <../general/common_functions>`
+:func:`html_escape()`.
+
+Consider the following example::
+
+ $string = 'Here is a string containing "quoted" text.';
+
+ <input type="text" name="myfield" value="<?php echo $string; ?>" />
+
+Since the above string contains a set of quotes, it will cause the form
+to break. The :func:`html_escape()` function converts HTML special
+characters so that it can be used safely::
+
+ <input type="text" name="myfield" value="<?php echo html_escape($string); ?>" />
+
+.. note:: If you use any of the form helper functions listed on this page,
+ the form values will be automatically escaped, so there is no need
+ to call this function. Use it only if you are creating your own
+ form elements.
+
Available Functions
===================
@@ -546,37 +571,10 @@
// Would produce: </form> </div></div>
-.. function:: form_prep([$str = ''[, $is_textarea = FALSE]])
-
- :param string $str: Value to escape
- :param bool $is_textarea: Whether we're preparing for <textarea> or a regular input tag
- :returns: Escaped value
- :rtype: string
-
- Allows you to safely use HTML and characters such as quotes within form
- elements without breaking out of the form.
-
- Consider this example::
-
- $string = 'Here is a string containing "quoted" text.';
- <input type="text" name="myform" value="$string" />
-
- Since the above string contains a set of quotes it will cause the form
- to break. The ``form_prep()`` function converts HTML so that it can be used
- safely::
-
- <input type="text" name="myform" value="<?php echo form_prep($string); ?>" />
-
- .. note:: If you use any of the form helper functions listed in this page the form
- values will be prepped automatically, so there is no need to call this
- function. Use it only if you are creating your own form elements.
-
-
-.. function:: set_value([$field = ''[, $default = ''[, $is_textarea = FALSE]]])
+.. function:: set_value($field[, $default = ''])
:param string $field: Field name
:param string $default: Default value
- :param bool $is_textarea: Whether we're setting <textarea> content
:returns: Field value
:rtype: string
@@ -587,12 +585,16 @@
Example::
- <input type="text" name="quantity" value="<?=set_value('quantity', '0');?>" size="50" />
+ <input type="text" name="quantity" value="<?php echo set_value('quantity', '0'); ?>" size="50" />
The above form will show "0" when loaded for the first time.
+ .. note:: Only use this function with raw HTML fields, as it
+ internally calls :func:`html_escape()` and combining its
+ usage with other form helper functions will result in
+ double HTML encoding!
-.. function:: set_select([$field = ''[, $value = ''[, $default = FALSE]]])
+.. function:: set_select($field[, $value = ''[, $default = FALSE]])
:param string $field: Field name
:param string $value: Value to check for
@@ -615,7 +617,7 @@
<option value="three" <?php echo set_select('myselect', 'three'); ?> >Three</option>
</select>
-.. function:: set_checkbox([$field = ''[, $value = ''[, $default = FALSE]]])
+.. function:: set_checkbox($field[, $value = ''[, $default = FALSE]])
:param string $field: Field name
:param string $value: Value to check for
@@ -634,7 +636,7 @@
<input type="checkbox" name="mycheck" value="1" <?php echo set_checkbox('mycheck', '1'); ?> />
<input type="checkbox" name="mycheck" value="2" <?php echo set_checkbox('mycheck', '2'); ?> />
-.. function:: set_radio([$field = ''[, $value = ''[, $default = FALSE]]])
+.. function:: set_radio($field[, $value = ''[, $default = FALSE]])
:param string $field: Field name
:param string $value: Value to check for
@@ -699,4 +701,21 @@
<span class="error">The "email" field doesn't contain a valid e-mail address!</span>
<span class="error">The "password" field doesn't match the "repeat_password" field!</span>
- */
\ No newline at end of file
+ */
+
+.. function:: form_prep($str)
+
+ :param string $str: Value to escape
+ :returns: Escaped value
+ :rtype: string
+
+ Allows you to safely use HTML and characters such as quotes within form
+ elements without breaking out of the form.
+
+ .. note:: If you use any of the form helper functions listed in this page the form
+ values will be prepped automatically, so there is no need to call this
+ function. Use it only if you are creating your own form elements.
+
+ .. note:: This function is DEPRECATED and is just an alias for
+ :doc:`common function <../general/common_functions>`
+ :func:`html_escape()` - please use that instead.
\ No newline at end of file
diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst
index 3e6db39..c62b28f 100644
--- a/user_guide_src/source/installation/upgrade_300.rst
+++ b/user_guide_src/source/installation/upgrade_300.rst
@@ -527,6 +527,18 @@
.. note:: This function is still available, but you're strongly encouraged to remove its usage sooner
rather than later.
+Form helper form_prep()
+=======================
+
+:doc:`Form Helper <../helpers/form_helper>` function :func:`form_prep()`
+is now just an alias for :doc:`common function <common_functions>`
+:func:`html_escape()`. It is deprecated and will be removed in the future.
+
+Please use :func:`html_escape()` instead.
+
+.. note:: This function is still available, but you're strongly encouraged
+ to remove its usage sooner rather than later.
+
Email helper functions
======================