Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter Libraries & Helpers Textarea and converting entities
Textarea and converting entities
  • Offline paralogizing
    paralogizing
  • **
  • Posts: 12
    Threads: 0
    Joined: Feb 2015
    Reputation: 0
#5
02-07-2015, 12:18 PM

I had this exact same problem when I wrote the CodeIgniter Form Validation Plugin for BootPress.  I took me a long time to figure out what was going on, but basically form_prep() is being called twice so it is encoding the entities twice.  That is why you can save it fine in a database the first time, but then it is all screwed up the second time around.  CodeIgniter 2.x used to check if the value had been prepped before in a convoluted sort of way, but they removed that in CodeIgniter 3.x without any supporting documentation that I have run across.  They also added stripslashes() and removed htmlspecialchars() for no apparent reason.  The solution is to create a form_helper.php file in your application/helpers folder with the following:

PHP Code:
<?php

##
# This is to correct undocumented changes from 2.2.0 to 3.0
# Textarea values are being processed twice if used in conjuction with set_value()
# I understand the limitations, but why get rid of the $prepped_fields array() ?
# Why all of a sudden add stripslashes() ?
# What was wrong with htmlspecialchars() ?
# HTML Entities are all screwed up with the new changes so ...
##

if ( ! function_exists('form_prep'))
{
    /**
     * Form Prep
     *
     * Formats text so that it can be safely placed in a form field in the event it has HTML tags.
     *
     * @param    string|string[]    $str        Value to escape
     * @param    bool        $is_textarea    Whether we're escaping for a textarea element
     * @return    string|string[]    Escaped values
     */
    function form_prep($str ''$is_textarea FALSE)
    {
        static $prepped = array();
        
        if (is_array($str))
        {
            foreach (array_keys($str) as $key)
            {
                $str[$key] = form_prep($str[$key], $is_textarea);
            }

            return $str;
        }
        
        if (isset($prepped[md5($str)])) return $str// this field has already been prepped
        
        $field str_replace(array("'"'"'), array("'""&quot;"), htmlspecialchars($str));
        
        $prepped[md5($field)] = $str;
        
        return $field;
        
        if ($is_textarea === TRUE)
        {
            return str_replace(array('<''>'), array('&lt;''&gt;'), stripslashes($str));
        }

        return str_replace(array("'"'"'), array(''', '&quot;'), stripslashes($str));
    }
}

include BASEPATH . 'helpers/form_helper.php';

/* End of file form_helper.php */
/* Location: ./application/helpers/form_helper.php */ 

We have a static $prepped array that ensures we don't double prep any values, and obviously I think the $is_textarea parameter is superfluous.  You can have html entities in any form field, so why only escape them in textareas?  This has been working perfectly for me, and I create a lot of forms.  I think CodeIgniter should change this before they release 3.0 officially.  Maybe I should tell them that.

(Sorry, I can't get the htmlentites to display correctly, so do not copy and paste the above.  Copy and paste from GitHub instead.)
BootPress - A Flat File CMS built with CodeIgniter, Smarty, and Bootstrap
Reply


Messages In This Thread
Textarea and converting entities - by egall8 - 02-03-2015, 12:39 PM
RE: Textarea and converting entities - by egall8 - 02-05-2015, 09:00 AM
RE: Textarea and converting entities - by Narf - 02-05-2015, 11:16 AM
RE: Textarea and converting entities - by paralogizing - 02-07-2015, 12:18 PM
RE: Textarea and converting entities - by Narf - 02-07-2015, 01:23 PM



Theme © iAndrew 2016 - Forum software by © MyBB