Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

I didn't realize this until now, but when using the CodeIgniter form validation class, if validation fails ($this->form_validation->run() === FALSE), all special characters in the post variables get converted, including any single or double quotes that were in the text inputs. Is there a way to turn off this behavior? I made pre-filling all forms in my project done with the html_escape command like so:

<input value="<?php echo html_escape($this->input->post('value'));?>" />

The html_escape ends up doing htmlspecialchars a second time, displaying the html entities in the form. I didn't set any rules to use "prep_for_form", and XSS is turned off, so I don't know why CI would choose to do this for me.

Also, I do know about the set_value function to pre-fill values, but in my case I'm doing something else that doesn't allow me to use that function.

Any help is appreciated.

share|improve this question
the codeigniter input class automatically does it. I believe there is a config value you can change to turn that off called like xss_filtering or something.But why turn it off? – Rooster Jun 13 at 16:18
XSS is off, this is strictly prep_for_form working. What if I want to save the post variables in the session or database? The html entities will get saved instead of what I need. I want to be able to choose what gets converted and what doesn't. – user371699 Jun 13 at 16:21
if you want to save them in the session or database, you encode them before putting them in, and you decode them when you take them out. – Rooster Jun 13 at 16:23
Codeigniter's Active Record does that for me, it just escapes characters. It doesn't actuall convert special characters to html entities. – user371699 Jun 13 at 16:29

1 Answer

up vote 0 down vote

Turns out this is just built in. If you want to turn off form prepping when form validation does not pass, simply extend the form_validation class using MY_Form_validation.php, copy the original run() function, and comment out the following code:

if ($total_errors > 0)
{
    $this->_safe_form_data = TRUE;
}
share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.