Hi!

For this example I’ve got a input in a view:

If the form is submitted it will run trought the form_validation in it’s controller. If it fails the value will be returned to the view. But if I fill in:

The result will be:

After the validation I see the H1! So it’s not escaping with htmlspecialchars or CI’s own function: html_escape.

What’s the best solution to fix this and how do you fixed this?

Just run it trought html_escape in the view, like: ?

Thanks!

Somebody?

That should help you ( htmlentities ):
http://ellislab.com/forums/viewthread/225038/#1032189

Generally I would prefer to use textares for HTML input,
just my personal preference maybe.

Thanks but as you can see the input is for a name, but if somebody don’t fill in his name but:

It “breaks” the code and the H1 is visible when the form validation in the controller fails! So set_value doesn’t escape thinks like the html_escape function do.

So my question is how people fix this or what’s the best practice?

I don’t know what is the best praxis but using the “htmlentities” function
should solve the problem breaking your HTML.

Ok, I litty addition:
The problem is apparently the default value, not the returned value from set_value, that’s likely escaped. Can someone confirm that the value returned from set_value is escaped?

OK:

LIKE:

Not OK (when the form is succesfully submited, but when you go back to the form and $name is the value pasted in):

LIKE:

Solution:

WILL BE:

Someone?

set_value() does not escape anything.  You should escape your HTML with html_escape() or add it to a text area.

I think you may want to look into form_prep() as well which is called automatically when you use set_value().  form_prep() is why you are seeing the HTML escape happening.

From the manual:

form_prep()

Allows you to safely use HTML and characters such as quotes within form elements without breaking out of the form. Consider this example:

$string = ‘Here is a string containing “quoted” text.’;

<input type=“text” name=“myform” value=”$string” />
Since the above string contains a set of quotes it will cause the form to break. The form_prep function converts HTML so that it can be used safely:

<input type=“text” name=“myform” value=”<?php echo form_prep($string); ?>” />
Note: If you use any of the form helper functions listed in this page the form values will be prepped automatically, so there is no need to call this function. Use it only if you are creating your own form elements.

If I look at set_value it runs through form_prep. When I take a look at form_prep it runs through html_escape! And html_escape is the same as htmlspecialchars with ENT_QUOTES and the charset.

So.. set_value takes values through htmlspecialchars!
But.. the default value just returns! So that is what I have to escape manuel like:

Thanks for the explanation!

CodeIgniter automatically passes the $_POST array through htmlspecialchars() when you use set_value(). If you take a look at the set_value() function in the form_helper.php, you will see that the desired value is passed through form_prep() which executes a htmlspecialchars() on the desired field.

In order to avoid this, you need to extend the form_helper adding a third optional parameter that skips the form_prep() execution. Just copy the following code into a MY_form_helper.php and copy it to application/helpers/