Welcome Guest, Not a member yet? Register   Sign In
Textarea and converting entities

I had this exact same problem when I wrote the CodeIgniter Form Validation Plugin for BootPress.  I took me a long time to figure out what was going on, but basically form_prep() is being called twice so it is encoding the entities twice.  That is why you can save it fine in a database the first time, but then it is all screwed up the second time around.  CodeIgniter 2.x used to check if the value had been prepped before in a convoluted sort of way, but they removed that in CodeIgniter 3.x without any supporting documentation that I have run across.  They also added stripslashes() and removed htmlspecialchars() for no apparent reason.  The solution is to create a form_helper.php file in your application/helpers folder with the following:

PHP Code:

# This is to correct undocumented changes from 2.2.0 to 3.0
# Textarea values are being processed twice if used in conjuction with set_value()
# I understand the limitations, but why get rid of the $prepped_fields array() ?
# Why all of a sudden add stripslashes() ?
# What was wrong with htmlspecialchars() ?
# HTML Entities are all screwed up with the new changes so ...

if ( ! function_exists('form_prep'))
     * Form Prep
     * Formats text so that it can be safely placed in a form field in the event it has HTML tags.
     * @param    string|string[]    $str        Value to escape
     * @param    bool        $is_textarea    Whether we're escaping for a textarea element
     * @return    string|string[]    Escaped values
function form_prep($str ''$is_textarea FALSE)
$prepped = array();
        if (
            foreach (
array_keys($str) as $key)
$str[$key] = form_prep($str[$key], $is_textarea);

        if (isset(
$prepped[md5($str)])) return $str// this field has already been prepped
$field str_replace(array("'"'"'), array("'""&quot;"), htmlspecialchars($str));
$prepped[md5($field)] = $str;
        if (
$is_textarea === TRUE)
str_replace(array('<''>'), array('&lt;''&gt;'), stripslashes($str));

str_replace(array("'"'"'), array(''', '&quot;'), stripslashes($str));

include BASEPATH . '

/* End of file form_helper.php */
/* Location: ./application/helpers/form_helper.php */ 

We have a static $prepped array that ensures we don't double prep any values, and obviously I think the $is_textarea parameter is superfluous.  You can have html entities in any form field, so why only escape them in textareas?  This has been working perfectly for me, and I create a lot of forms.  I think CodeIgniter should change this before they release 3.0 officially.  Maybe I should tell them that.

(Sorry, I can't get the htmlentites to display correctly, so do not copy and paste the above.  Copy and paste from GitHub instead.)

Messages In This Thread
Textarea and converting entities - by egall8 - 02-03-2015, 12:39 PM
RE: Textarea and converting entities - by egall8 - 02-05-2015, 09:00 AM
RE: Textarea and converting entities - by Narf - 02-05-2015, 11:16 AM
RE: Textarea and converting entities - by paralogizing - 02-07-2015, 12:18 PM
RE: Textarea and converting entities - by Narf - 02-07-2015, 01:23 PM

Theme © iAndrew 2016 - Forum software by © MyBB