[eluser]onejaguar[/eluser]
CodeIgniter 1.7.0 has a new form validation library which includes a new function that re-populates the $_POST array after you run the validation. If there is an error and the form needs to be re-displayed, it will escape values so they are safe to put in the HTML of a form (e.g ' becomes '
.
I have several problems with this;
1) Any values which don't have rules aren't escaped.
E.g if I have an optional input with no rules the values aren't escaped when there is an error in another field and the form gets re-displayed.
2) Values I pull from another source (e.g. from database or a list of default values) and put into $_POST aren't escaped.
#1 Is a real problem; even if I define a name a label for the field it isn't escaped by the validation library.
#2 Could be solved by escaping values before putting them into $_POST but it seems more elegant to me to only escape things in one place, before displaying them in the form, regardless of the source of the value.
I could just escape everything before the form is displayed, but using htmlspecialchars() escapes ampersands which leads to all kinds of trouble plus it seems wasteful to escape everything twice when there is an error in the form.
Am I missing something or do others agree that escape implementation is squirrely?
This wasn't an issue in CI 1.6 because the validation library didn't re-populate the $_POST array, it just updated it's internal variables, so I was able to just handle things the way I wanted in $_POST.
