CodeIgniter Forums

Full Version: html_escape on set_value
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]royduin[/eluser]
Hi!

For this example I've got a input in a view:

Code:
<input type="text" name="name" value="<? echo set_value('name'); ?>" />

If the form is submitted it will run trought the form_validation in it's controller. If it fails the value will be returned to the view. But if I fill in:
Code:
"><h1>It works!</h1>

The result will be:
Code:
&lt;input type="text" name="name" value=""&gt;&lt;h1>It works!</h1>" />

After the validation I see the H1! So it's not escaping with htmlspecialchars or CI's own function: html_escape.

What's the best solution to fix this and how do you fixed this?

Just run it trought html_escape in the view, like: ?
Code:
&lt;input type="text" name="name" value="&lt;? echo html_escape(set_value('name')); ?&gt;" /&gt;

Thanks!

El Forum

[eluser]royduin[/eluser]
Somebody?

El Forum

[eluser]LuckyFella73[/eluser]
That should help you ( htmlentities ):
http://ellislab.com/forums/viewthread/225038/#1032189

Generally I would prefer to use textares for HTML input,
just my personal preference maybe.

El Forum

[eluser]royduin[/eluser]
Thanks but as you can see the input is for a name, but if somebody don't fill in his name but:
Code:
"><h1>It works!</h1>
It "breaks" the code and the H1 is visible when the form validation in the controller fails! So set_value doesn't escape thinks like the html_escape function do.

So my question is how people fix this or what's the best practice?

El Forum

[eluser]LuckyFella73[/eluser]
I don't know what is the best praxis but using the "htmlentities" function
should solve the problem breaking your HTML.

El Forum

[eluser]royduin[/eluser]
Ok, I litty addition:
The problem is apparently the default value, not the returned value from set_value, that's likely escaped. Can someone confirm that the value returned from set_value is escaped?

OK:
Code:
&lt;input type="text" name="name" value="&lt;? echo set_value('name'); ?&gt;" /&gt;
LIKE:
Code:
&lt;input type="text" name="name" value="&quot;&gt;&lt;h1&gt;It works!&lt;/h1&gt;" /&gt;

Not OK (when the form is succesfully submited, but when you go back to the form and $name is the value pasted in):
Code:
&lt;input type="text" name="name" value="&lt;? echo set_value('name',$name); ?&gt;" /&gt;
LIKE:
Code:
&lt;input type="text" name="name" value=""&gt;&lt;h1>It works!</h1>" />

Solution:
Code:
&lt;input type="text" name="name" value="&lt;? echo set_value('name',html_escape($name)); ?&gt;" /&gt;
WILL BE:
Code:
&lt;input type="text" name="name" value="&quot;&gt;&lt;h1&gt;It works!&lt;/h1&gt;" /&gt;

El Forum

[eluser]royduin[/eluser]
Someone?

El Forum

[eluser]EzraBynx[/eluser]
set_value() does not escape anything. You should escape your HTML with html_escape() or add it to a text area.

El Forum

[eluser]EzraBynx[/eluser]
I think you may want to look into form_prep() as well which is called automatically when you use set_value(). form_prep() is why you are seeing the HTML escape happening.

From the manual:

form_prep()

Allows you to safely use HTML and characters such as quotes within form elements without breaking out of the form. Consider this example:

$string = 'Here is a string containing "quoted" text.';

&lt;input type="text" name="myform" value="$string" /&gt;
Since the above string contains a set of quotes it will cause the form to break. The form_prep function converts HTML so that it can be used safely:

&lt;input type="text" name="myform" value="&lt;?php echo form_prep($string); ?&gt;" /&gt;
Note: If you use any of the form helper functions listed in this page the form values will be prepped automatically, so there is no need to call this function. Use it only if you are creating your own form elements.

El Forum

[eluser]royduin[/eluser]
If I look at set_value it runs through form_prep. When I take a look at form_prep it runs through html_escape! And html_escape is the same as htmlspecialchars with ENT_QUOTES and the charset.

So.. set_value takes values through htmlspecialchars!
But.. the default value just returns! So that is what I have to escape manuel like:
Code:
&lt;input type="text" name="name" value="&lt;? echo set_value('name',html_escape($name)); ?&gt;" /&gt;

Thanks for the explanation!