Welcome Guest, Not a member yet? Register   Sign In
form_prep doesn't correctly use already prepped fields in CI 1.7.2
#1

[eluser]logan2z[/eluser]
I think I've found a bug in the form_prep() method of the form_helper helper in CI 1.7.2. The form_prep() method caches already prepped fields in the static $prepped_fields array. On each call to form_prep(), it checks to see if it has already prepped a field with a given name and then attempts to reuse the prepped field, rather than re-prepping it. The code to re-use the already prepped field looks like this in 1.7.2:

Code:
if (isset($prepped_fields[$field_name]))
{
   return $str;
}


However, $str is the un-prepped field, and so the field is returned as-is without being prepped. I believe the code should read like this instead:

Code:
if (isset($prepped_fields[$field_name]))
{
   return $prepped_fields[$field_name];
}
#2

[eluser]kenjis[/eluser]
I think so.
#3

[eluser]kenjis[/eluser]
I've posted a bug report:
http://codeigniter.com/bug_tracker/bug/11284/
#4

[eluser]Felix Egli[/eluser]
in my opinion, form_prep tries to do more than it should do, and is badly broken because of that.

see my comment on: http://ellislab.com/forums/viewthread/137613/
#5

[eluser]Stu Green[/eluser]
Yes, I just posted this in another topic. I already prepped my form fields, so it was double prepping and breaking my html entities. Its fixes like these that can really break stuff you've already done so I guess I need to be extra careful when upgrading CI next time.

CI, please don't change this again, or I'll have to go over it all again. It's fine now as long as you just use the helpers which automatically prep the data.
#6

[eluser]kenjis[/eluser]
If 1.7.2's form_prep is a spec, there is a seurity problem like this:

In Japan in general confirmation page is required. In confirmation page,
if we use hidden input tag to pass the user input data when a user is back to input
page, there is XSS vulnerabirity.

Code:
<dl>
  <dt>name:</dt>
  <dd>&lt;?php echo set_value('name'); ?&gt;</dd>
  <dt>e-mail:</dt>
  <dd>&lt;?php echo set_value('email'); ?&gt;</dd>
  <dt>subject:</dt>
  <dd>&lt;?php echo set_value('subject'); ?&gt;</dd>
  <dt>body:</dt>
  <dd>&lt;?php echo nl2br(set_value('body')); ?&gt;</dd>
</dl>

<div>
  &lt;form action="&lt;?php echo site_url('form'); ?&gt;" method="post"&gt;
    &lt;?php echo form_hidden('name', set_value('name')); ?&gt;
    &lt;?php echo form_hidden('email', set_value('email')); ?&gt;
    &lt;?php echo form_hidden('subject', set_value('subject')); ?&gt;
    &lt;?php echo form_hidden('body', set_value('body')); ?&gt;
    <p>&lt;input type="submit" value="back to input page" /&gt;&lt;/p>
  &lt;/form&gt;
  &lt;form action="&lt;?php echo site_url('form/post'); ?&gt;" method="post"&gt;
    &lt;?php echo form_hidden('name', set_value('name')); ?&gt;
    &lt;?php echo form_hidden('email', set_value('email')); ?&gt;
    &lt;?php echo form_hidden('subject', set_value('subject')); ?&gt;
    &lt;?php echo form_hidden('body', set_value('body')); ?&gt;
    <p>&lt;input type="submit" value="send" /&gt;&lt;/p>
  &lt;/form&gt;
</div>
#7

[eluser]kenjis[/eluser]
[quote author="Felix Egli" date="1265589656"]in my opinion, form_prep tries to do more than it should do, and is badly broken because of that.

see my comment on: http://ellislab.com/forums/viewthread/137613/[/quote]

The above thread is another bug. This thread's is not related with.
#8

[eluser]Simon Paquet[/eluser]
Is there someone who built a custom prep_for_form (from validation library) or form_prep (from form helper) function so it does not double check html entities?

When I write for instance ' (single quote), the result in the input text is
Code:
'
and in the source code
Code:
&amp;#39;




Looks like one of these is called twice




Theme © iAndrew 2016 - Forum software by © MyBB