HTML Escape on form helper

Hi all,
First time using a PHP framework and I chose to go with CI . The documentation is awesome!
I'm a bit confused by the note on this page which says:

If you use any of the form helper functions listed on this page, the form values will be automatically escaped, so there is no need to call this function. Use it only if you are creating your own form elements.

What I thought it meant was if I'm using form helpers like form_input(), I don't have to manually do html_escape to the posted data from these fields. But I found out that this was not the case and the input wasn't html escaped.

Code:

<?=form_open('article/comment')?>
   <?=form_textarea('comment')?>
   <?=form_hidden('article',$article['id'])?>
   <?=form_submit('submit', 'Post comment.')?>
</form>

`echo $this->input->post('comment') ` in the controller returns unescaped html. It is also inserted into the database unescaped. I now use `html_escape($this->input->post())` instead of just `$this->input->post()` as a workaround. Is it the right way to do this? What does "form values will be automatically escaped" in the documentation actually mean?

Thanks in advance!

It means that you don't need to do:

PHP Code:

echo form_input(array(
        'name'    => 'company_name',
        'value'    => set_value('company_name',html_escape($company->name)),
        'class' => 'form-control'
    )); 


And do it like this:

PHP Code:

echo form_input(array(
        'name'    => 'company_name',
        'value'    => set_value('company_name',$company->name),
        'class' => 'form-control'
    )); 


$this->input->post don't escape anything, that should only be done on output. So if you are displaying it directly after submit, you need to escape it. If you are using form_validation and put a field as required and not writing anything in it, but write text in all other fields. form_input() will keep your data intact and escape it for you.

You should not use html_escape on anything you store in your database, but you can validate it with form_validation if you only want numbers. You should however use html_escape when you are displaying it from your database. So you aren't vulnerable to XSS.

Hope this will clear things up for you!

Oh, gotcha. html_escape is used when the data is shown from the db and not when it is inserted. All clear now, thanks!

It means that you don't need to do:

PHP Code:

echo form_input(array(
        'name'    => 'company_name',
        'value'    => set_value('company_name',html_escape($company->name)),
        'class' => 'form-control'
    )); 


And do it like this:

PHP Code:

echo form_input(array(
        'name'    => 'company_name',
        'value'    => set_value('company_name',$company->name),
        'class' => 'form-control'
    )); 


$this->input->post don't escape anything, that should only be done on output. So if you are displaying it directly after submit, you need to escape it. If you are using form_validation and put a field as required and not writing anything in it, but write text in all other fields. form_input() will keep your data intact and escape it for you.

You should not use html_escape on anything you store in your database, but you can validate it with form_validation if you only want numbers. You should however use html_escape when you are displaying it from your database. So you aren't vulnerable to XSS.

Hope this will clear things up for you!