with your code structure - no, but you can preprocess $_POST.. this approach is not very nice, but if you fill out your forms ONLY like in the example, it's going to work.
$parametersToPreprocess = array(
'text1',
'text2',
);
foreach (array_keys($_POST) as $postKey) {
if (in_array($postKey, $parametersToPreprocess)) {
$_POST[$postKey] = htmlentities($_POST[$postKey]);
}
}
Nope. PHP's built-in templating has no feature to automatically escape output values. The best you can manage is to define a function with a short name to save yourself a bit of typing:
<?php
function h($s) {
echo htmlspecialchars($s, ENT_QUOTES);
}
?>
<input id="text" name="text" value="<?php h(isset($_POST['text'])? $_POST['text'] : ''); ?>">
(Note: htmlspecialchars, not htmlentities, which will try to HTML-encode all non-ASCII characters, which will mess them up if you don't pass in the right $charset argument.)
In codeigniter we can do that as a part of rules like $rules['other_gait']="htmlentities|max_length[200]";
But thanks for the hint to use htmlentities.