Welcome Guest, Not a member yet? Register   Sign In
HTML escaping with Form valiation 1.7.0

CodeIgniter 1.7.0 has a new form validation library which includes a new function that re-populates the $_POST array after you run the validation. If there is an error and the form needs to be re-displayed, it will escape values so they are safe to put in the HTML of a form (e.g ' becomes 'Wink.

I have several problems with this;

1) Any values which don't have rules aren't escaped.
E.g if I have an optional input with no rules the values aren't escaped when there is an error in another field and the form gets re-displayed.

2) Values I pull from another source (e.g. from database or a list of default values) and put into $_POST aren't escaped.

#1 Is a real problem; even if I define a name a label for the field it isn't escaped by the validation library.

#2 Could be solved by escaping values before putting them into $_POST but it seems more elegant to me to only escape things in one place, before displaying them in the form, regardless of the source of the value.

I could just escape everything before the form is displayed, but using htmlspecialchars() escapes ampersands which leads to all kinds of trouble plus it seems wasteful to escape everything twice when there is an error in the form.

Am I missing something or do others agree that escape implementation is squirrely?

This wasn't an issue in CI 1.6 because the validation library didn't re-populate the $_POST array, it just updated it's internal variables, so I was able to just handle things the way I wanted in $_POST.

[eluser]Phil Sturgeon[/eluser]
Thinking over my code I cant imagine this being a problem for any of my work, but I can definatly see how it would be. This should definatly be an optional feature with a config switch, as that is pretty damn invasive!

[eluser]Josip Jelic[/eluser]
I'm running into same problems. In my opinion set_value should escape "'", '"', "<" and ">" when used in value attribute of input field or should we do that by hand every time???

What's the best practice?

Let's take this case:

Someone enters this text in text field: Muhahaha I'm "evil"

Repopulating with set_value produces this:
&lt;input type="text" value="Muhahaha i'm "evil""&gt;
which IS evil Smile

Sry for hijacking the tread..

onejaguar the validation library did repopulate the POST global how else could $this->validation->field have the same value as $_POST['field'] or in CI syntax $this->input->post('field')? I believe it is done in the run method.

I think the values should be escaped only if it likely they are going to be displayed and that is when there is an error. But when you are using the form functions to build the inputs or you are using form_prep in static inputs the escaping is done for you so you should be able to decide if you want to escape the posted values or not. thepyromaniac suggested a switch but why not a method?
if( ! $this->form_validation->run())
   // ...
// ...

Theme © iAndrew 2016 - Forum software by © MyBB