CI 2.1.4, Form validation bug?

[eluser]Unknown[/eluser]
Hello everybody,

I was testing the framework, and was trying to use the prep_for_form in a form validation to prevent HTML injection.

Code:

$this->form_validation->set_rules('title', 'Title', 'required | prep_for_form');
$this->form_validation->set_rules('text', 'text', 'required | prep_for_form');

Tested in a few examples and was unsucessful in preventing the injection.

I decided to take a look at Form_validation.php and found the following suspicious lines:

Code:

if ($total_errors > 0)
  {
   $this->_safe_form_data = TRUE;
  }

By changing to

Code:

if ($total_errors == 0)

the code started to work like a charm! Is that a bug? Or am I missing something in the broader view?

Thanks!
Luiz

[eluser]Unknown[/eluser]
Just to clarify, this snippet of code

Code:

if ($total_errors > 0)
  {
      $this->_safe_form_data = TRUE;
  }

is inside the function run() on Form_validation.php.

Code:

public function run($group = '')
{
//......
}

And the only place where there is another reference to the variable _safe_form_data is inside the prep_for_form() function:

Code:

public function prep_for_form($data = '')
{

  //Rest of function goes here....

  if ($this->_safe_form_data == FALSE OR $data === '')
  {
   return $data;
  }

  return str_replace(array("'", '"', '<', '>'), array("'", "&quot;", '&lt;', '&gt;'), stripslashes($data));

}

I'm not sure if there is a bug or not. But when I tested, _safe_form_data always evaluated to be false... and the prep_for_form option on set_rules didn't do anything.

Any insight about what is happening? Thanks !