(09-07-2015, 04:45 AM)Diederik Wrote: I hope I understand your question correctly, I think you could use the xss_clean() for this job. It will allow you to populate the inputs in your form with the (unescaped) posted data and then have xss_clean() filter the entire output before sending it back to the browser.
Hello Diederik,
First, thanks for your reply.
Because I use CI's input library, my post data is automatically escaped. The problem is, before I send form data to my data base, I use
ascii_to_entities($this->input->post('content')) to ensure, all characters like ", ', รค, etc. are converted to they're entity, for example an apostrophe in word has the code 145 (I think), but I need the code 39, to make it actually appear in my browser. ascii_to_entities() does this. It converts the apostrophe to ', which is the apostrophe I want.
However, if I use the form_helper, which internally uses html_escape, it converts & to &. The next time I save this, ascii_to_entities() converts & and the whole thing repeats.
Because I don't use bb-code to create my post-entries, the html_escape()-function converts tags like <p>, <br> and so on, to i.e. <br>, which is absolutly ok, because it prevents executing for example javascript (<script>alert(document.cookie)</script>)
When i turn the html_escape of (by using i.e. form_input('field', 'value', false), it is a security issue, because the js-code on top could be executed.
Hope this was more clear, don't know how to describe this kind of problem..
-.-.-.-.-.-.-.-.-
-.-.-.-.-.-.-.-.-