Welcome Guest, Not a member yet? Register   Sign In
Textarea and converting entities
#1

I have a textarea that uses TinyMCE but have tested this with just the normal textarea. When I submit the form the first time with the following line

Code:
<p>testing</p>

it saves that to the database without a problem, but say I updated another field in the form and do not touch the page content text area it saves this.

Code:
<p>&lt;p&gt;testing&lt;/p&gt;</p>

The only form validation rule being applied is trim as well.

PHP Code:
<div class="col-md-10">
        
            <?
php echo form_textarea($inputs['PAGE_CONTENT'], set_value('PAGE_CONTENT'$row->PAGE_CONTENT)); ?>
        
        </div> 
Reply
#2

I guess you can use PHP's htmlentities() function:


PHP Code:
<?php echo form_textarea($inputs['PAGE_CONTENT'], set_value('PAGE_CONTENT'htmlentities($row->PAGE_CONTENT))); ?>
Reply
#3

(02-03-2015, 02:23 PM)Avenirer Wrote: I guess you can use PHP's htmlentities() function:



PHP Code:
<?php echo form_textarea($inputs['PAGE_CONTENT'], set_value('PAGE_CONTENT'htmlentities($row->PAGE_CONTENT))); ?>

When i took out the set_value() function from the form_textarea(), I would get the correct values sometimes and other times they wouldn't show up. Do you know if I should be using the set_value() function at all for the form_textarea() function or would it just be easier to not use the helper for the text area and just use plain HTML and echo out the value inside of a text area html tag.

Also for anyone reading this now. How should I store HTML from the WYSIWYG editor in the database. Should i be running it through any of Codeigniter's form prep/validation rules or any other PHP functions or is storing plain HTML OK.
Reply
#4

No WYSIWIG editor is made to work specifically with CodeIgniter. That being said, you should follow their instructions without using CI-specific form functions.
Reply
#5

I had this exact same problem when I wrote the CodeIgniter Form Validation Plugin for BootPress.  I took me a long time to figure out what was going on, but basically form_prep() is being called twice so it is encoding the entities twice.  That is why you can save it fine in a database the first time, but then it is all screwed up the second time around.  CodeIgniter 2.x used to check if the value had been prepped before in a convoluted sort of way, but they removed that in CodeIgniter 3.x without any supporting documentation that I have run across.  They also added stripslashes() and removed htmlspecialchars() for no apparent reason.  The solution is to create a form_helper.php file in your application/helpers folder with the following:

PHP Code:
<?php

##
# This is to correct undocumented changes from 2.2.0 to 3.0
# Textarea values are being processed twice if used in conjuction with set_value()
# I understand the limitations, but why get rid of the $prepped_fields array() ?
# Why all of a sudden add stripslashes() ?
# What was wrong with htmlspecialchars() ?
# HTML Entities are all screwed up with the new changes so ...
##

if ( ! function_exists('form_prep'))
{
    
/**
     * Form Prep
     *
     * Formats text so that it can be safely placed in a form field in the event it has HTML tags.
     *
     * @param    string|string[]    $str        Value to escape
     * @param    bool        $is_textarea    Whether we're escaping for a textarea element
     * @return    string|string[]    Escaped values
     */
    
function form_prep($str ''$is_textarea FALSE)
    {
        static 
$prepped = array();
        
        if (
is_array($str))
        {
            foreach (
array_keys($str) as $key)
            {
                
$str[$key] = form_prep($str[$key], $is_textarea);
            }

            return 
$str;
        }
        
        if (isset(
$prepped[md5($str)])) return $str// this field has already been prepped
        
        
$field str_replace(array("'"'"'), array("'""&quot;"), htmlspecialchars($str));
        
        
$prepped[md5($field)] = $str;
        
        return 
$field;
        
        if (
$is_textarea === TRUE)
        {
            return 
str_replace(array('<''>'), array('&lt;''&gt;'), stripslashes($str));
        }

        return 
str_replace(array("'"'"'), array(''', '&quot;'), stripslashes($str));
    }
}

include BASEPATH . '
helpers/form_helper.php';

/* End of file form_helper.php */
/* Location: ./application/helpers/form_helper.php */ 

We have a static $prepped array that ensures we don't double prep any values, and obviously I think the $is_textarea parameter is superfluous.  You can have html entities in any form field, so why only escape them in textareas?  This has been working perfectly for me, and I create a lot of forms.  I think CodeIgniter should change this before they release 3.0 officially.  Maybe I should tell them that.

(Sorry, I can't get the htmlentites to display correctly, so do not copy and paste the above.  Copy and paste from GitHub instead.)
Reply
#6

Maybe you should check first if it hasn't already been changed ... your post is based on outdated code.

But anyway, the thing is, set_value() should not be used with form_prep() in the first place, nor should any HTML-encoded data be saved to a database (you database doesn't know HTML) and lastly - no generic third-party tool is designed to work specifically with CI, so you shouldn't use CI helpers to integrate it.
Reply
#7

You're right.  Thanks for pointing that out to me Narf.  It looks like form_prep() is just an alias for html_escape() which is just an alias for htmlspecialchars(), but the $double_encode is still set to TRUE by default every time it is called by the helpers, so perhaps that is the problem egall8 is experiencing?
Reply




Theme © iAndrew 2016 - Forum software by © MyBB