tags:

views:

303

answers:

3
Q: 

HTML encoding in codeiginiter

I have an issue with the html-encoding in the Input library in Codeigniter.

I have a form used to edit the News in the admin side of my project. Here is the HTML code of the title of the news:
echo form_input('title',($title) ? $title : $this->input->post('title'));

When the edit page is loaded, I'm taking the news title and assigning it to $title.After editing, if any validation error occur, the form will be shown again with the posted value in title file. The above code is written with that in mind.

Now coming to the issue, suppose admin enters title as XYZ's survey report, and submits. Then if a validation error occurs for some other field, when the form is loaded, the title field shows

XYZ's survey report

I think in the Input class, the posted valued is html encoded. So my requirement is, if a validation error occurs, I have to html decode the value before showing it in the form.I have tried 

echo form_input('title',($title) ? $title : html_entity_decode($this->input->post('title'),ENT_QUOTES));

and it works. But the project is big and has so many form fields. I would be disappointed to know this is the only way to achieve this.

A: 

The input class will encode automatically if you have XSS filtering enabled globally. Check your application/config/config.php file to make sure that it is turned off:

$config['global_xss_filtering'] = FALSE;

http://codeigniter.com/user_guide/libraries/input.html

Abinadi  2009-11-06 06:26:17
+1  A: 

XSS Filtering doesn't affect the displayed input field value.

I see two options:

1) You can manually create the INPUT element:
<input type="text" name="title" value="<?php echo ($title) ? $title : $this->input->post('title'); ?>" />

2) You can modify the CodeIgniter source code (not recommended - it is likely to create havoc later on).

PS: Here is the function that CodeIgniter is using when showing the form_input value (form_helper.php):

function form_prep($str = '')
{
 // if the field name is an array we do this recursively
 if (is_array($str))
 {
  foreach ($str as $key => $val)
  {
   $str[$key] = form_prep($val);
  }

  return $str;
 }

 if ($str === '')
 {
  return '';
 }

 $temp = '__TEMP_AMPERSANDS__';

 // Replace entities to temporary markers so that 
 // htmlspecialchars won't mess them up
 $str = preg_replace("/&#(\d+);/", "$temp\\1;", $str);
 $str = preg_replace("/&(\w+);/",  "$temp\\1;", $str);

 $str = htmlspecialchars($str);

 // In case htmlspecialchars misses these.
 $str = str_replace(array("'", '"'), array("&#39;", "&quot;"), $str);

 // Decode the temp markers back to entities
 $str = preg_replace("/$temp(\d+);/","&#\\1;",$str);
 $str = preg_replace("/$temp(\w+);/","&\\1;",$str);

 return $str;
}

As you see, the function is using htmlspecialchars and other tricks.

UPDATE- CodeIgniter exqample:

// config.php: $config['global_xss_filtering'] = FALSE;
echo form_open("test");
echo form_input('title', ($this->input->post('title')) ? $this->input->post('title') : $title);
echo form_input('title', ($this->input->post('title')) ? $this->input->post('title') : $title, FALSE);
echo form_input('title', ($_POST['title']) ? $_POST['title'] : $title, FALSE);
echo "<input type=\"text\" name=\"title\" value=\"" . (($title) ? $title : $this->input->post('title')) . "\" />";
echo form_submit("btn", "Submit");
echo form_close();

// output:
<form action="/test/" method="post">
<input type="text" name="title" value="XYZ&#39;s survey report"  />
<input type="text" name="title" value="XYZ&#39;s survey report"  />
<input type="text" name="title" value="XYZ&#39;s survey report"  />
<input type="text" name="title" value="XYZ's survey report" />
<input type="submit" name="btn" value="Submit"  />
</form>
Kristoffer Bohmann  2009-11-06 06:32:57
Thanks a lot Kristoffer. I did a testing and found many things:1) Input class doesn't change the posted values like I said. Even if you have enabled XSS Filtering also, nothing will happen.2) Actually it was occuring when I passed the data through Form_validation class.3) Though form validation encodes posted data, you can still get it correct by manually creating the form elements as you mentioned.4) But if you are using form helper functions, then the issue occurs(after passing the posted data thru Form validation class).Thanks a lot mate...
Sreejith  2009-11-06 11:00:55
A: 

I think it's because of the set_value() function (if you're using it when inserting the data into the database)

max  2010-01-31 05:07:59

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases