Form validation: Is "htmlspecialchars" run no matter what?

[eluser]davidbehler[/eluser]
Ok, I have this setup:

form_validation.php in config folder:

Code:

$config = array
   (
      'post' => array
                  (
                     array
                        (
                           'field' => 'post_content',
                           'label' => 'Content',
                           'rules' => 'trim|required|xss_clean'
                        )
                  )
   )

test.php in controller folder:

Code:

function post()
   {
      $this->load->library('form_validation');
      if ($this->form_validation->run('post') == FALSE)
      {
         // show error message
      }
      else
      {
         // do some stuff
      }
      $this->load->view('post');
   }

post.php in view folder:

Code:

echo form_open('test/post');

$data = array(
            'name' => 'post_content',
            'id' => 'post_content',
            'cols' => '100',
            'rows' => '5',
            'value' => set_value('post_content')
);

echo form_textarea($data);


echo form_submit(array('value'=>'submit'));
echo form_close();

So far so easy, but now I got the following problem:
No matter what I enter into textarea, it seems like it's run through "htmlspecialchars", even though I have no such rule defined!

Example:
Entered value: <p>test</p>
"echo set_value('post_content');" BEFORE the validation is run: &lt;p&gt;test&lt;/p&gt;
"echo set_value('post_content');" AFTER the validation is run: ltpgt;testlt;/pgt; (damn board keeps escaping my examples..)

Anyway, the first echo returns the value just like I entered it, the second one returns it as run through "htmlspecialchars" even though there is no such rule for that field!

Any ideas why?
Help appreciated!

[eluser]davidbehler[/eluser]
Found the reason for the escaped characters. It's the "prep_for_form" method that's being run on every value of $_POST after validation run.

As the above setup is not my actual setup but a very much simplified one it didn't show the real reason the described behaviour disturbed me: I'm trying to integrate FCKeditor into my application and because FCK is a WYSIWYG editor it generates real html code and needs to be feeded with html code to be able to edit it. But the before mentioned function takes the valid html code from the $_POST array and replaces some characters with their html entities and FCKeditor can't handle those.

Now I have to create a function to reverse that effect for those fields I want to edit using the FCKeditor.

Would be nice of there could be a flag or something similar that I can set for each field, which is then used to determine wether prep_for_form should be run on it or not. Default would be TRUE of course!

[eluser]BaCeTo[/eluser]
I have got the same problem today. It took me and a colleague about an hour to find what breaks my validation. I dumped 3 or 4 times the database, and had the same problem again and again. And as usual the problem was at the last place you would expect it to be ...
Here is a fix of it. I wrote a helper to rewrite the original set_value() and form_prep function from the form_helper.
The name of the function is concatenated with i18n because the project I am working on in based on the i18n controlled, and uses the i18n helper quite a lot!

Anyway, I hope the piece of code will help someone!

Code:

function form_i18n_prep($str = '')
{
    // if the field name is an array we do this recursively
    if (is_array($str))
    {
        foreach ($str as $key => $val)
        {
            $str[$key] = form_i18n_prep($val);
        }

        return $str;
    }

    if ($str === '')
    {
        return '';
    }

    $temp = '__TEMP_AMPERSANDS__';

    // Replace entities to temporary markers so that
    // htmlspecialchars won't mess them up
    $str = preg_replace("/&#(\d+);/", "$temp\\1;", $str);
    $str = preg_replace("/&(\w+);/",  "$temp\\1;", $str);

    //$str = htmlspecialchars($str); //this is from the original helper, and it is not necessary
        // for FCKeditor

    // In case htmlspecialchars misses these.
    //$str = str_replace(array("'", '"'), array("'", """), $str);
    //From original. This too, isn't needed, as quotes are automatically escaped by FCK...

    // Decode the temp markers back to entities
    $str = preg_replace("/$temp(\d+);/","&#\\1;",$str);
    $str = preg_replace("/$temp(\w+);/","&\\1;",$str);

    return $str;
}


// ------------------------------------------------------------------------

/**
* Form Value
*
* Grabs a value from the POST array for the specified field so you can
* re-populate an input field or textarea.  If Form Validation
* is active it retrieves the info from the validation class
*
* @access    public
* @param    string
* @return    mixed
*/

//a complete copy of the form_helper function, it just
//implements a little less strict form preparation.

function set_value_i18n($field = '', $default = '')
{
    if (FALSE === ($OBJ =& _get_validation_object()))
    {
        if ( ! isset($_POST[$field]))
        {
            return $default;
        }

        return form_i18n_prep($_POST[$field]);
    }

    return form_i18n_prep($OBJ->set_value($field, $default));
}

Best luck with coding!

[eluser]xwero[/eluser]
I agree the prep_for_form should be removed from the _reset_post_array method and should be added to the set_value method where a third parameter will call the method or not.