We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

value in input field

Hello, all!

How to output string with double quotes in input field??? How to escaping double quotes before displaying the value?


Values are automatically escaped by Phalcon\Tag:

This code:

$tag = new Phalcon\Tag();

$tag->setDefault('name', '"my name"');

echo $tag->textField('name');


<input type="text" name="name" id="name" value="&#x22;my name&#x22;" />


but I'm using the form elements through: {{ form.render('element_name') }}


Phalcon\Forms and the built-in elements also use Phalcon\Tag to generate the HTML, so the result would be same


but generate <input type="text" class="input-xlarge" value="some "text""="" name="name" id="name">


Sorry for the typo <input type="text" value="some "text"" name="contact_name" id="contact_name" />

The same is happening to me. Is there a resolution?

I have this same problem using a form bound to a model entity and printing with {{ form.render }}. If I enter some XSS code in the form, post it, and show the form bound to both the entity and the $_POST data, it is escaped correctly. But after saving the code to the database and retrieving the same entity for editing the escaping fails. So it seems like the form.render only escapes the $_POST data but not the data coming from the model entity. Using v1.2.3-65 from FortRabbit Debian Repository.

Here's a quick test:

class Product extends \Phalcon\Mvc\Model { public $title; }
class ProductsController extends \Phalcon\Mvc\Controller
    public function testAction()
        $model = new Product();
        $model->title = '"><b>foobar</b>';

        $form = new Phalcon\Forms\Form($model);
        $form->add(new Phalcon\Forms\Element\Text('title'));

        $this->view->form = $form;

And the view:

{{ form.render('title') }}

And the result:

<input type="text" value=""><b>foobar</b>" name="title" id="title" />


This is fixed in the 1.3.0 branch

Yes, this seems to be fixed in 1.3.0... but it seems that Tag::setDefault() is now broken with double escaping. For example foo'>bar transforms to foo&#039;&gt;bar after posting, using setDefault() and volt text_field().

Yes. Same problem here.

edited Apr '14

You can use html_entity_decode($form->render('fieldname')) , but this is overhead. Another solution is to override $form->render method. Again overhead :)

 public function render($name, $attributes = null) {

    $rendered = parent::render($name, $attributes);

    $search = array(
        '/\&amp;#34;/', // double quotes
        '/\&amp;#39;/', // single quote

    $replace = array(

    $rendered = preg_replace($search, $replace, $rendered);
    return $rendered;