Hello, all!
How to output string with double quotes in input field??? How to escaping double quotes before displaying the value?
|
Apr '14 |
9 |
2224 |
1 |
Hello, all!
How to output string with double quotes in input field??? How to escaping double quotes before displaying the value?
I have this same problem using a form bound to a model entity and printing with {{ form.render }}. If I enter some XSS code in the form, post it, and show the form bound to both the entity and the $_POST data, it is escaped correctly. But after saving the code to the database and retrieving the same entity for editing the escaping fails. So it seems like the form.render only escapes the $_POST data but not the data coming from the model entity. Using v1.2.3-65 from FortRabbit Debian Repository.
Here's a quick test:
class Product extends \Phalcon\Mvc\Model { public $title; }
class ProductsController extends \Phalcon\Mvc\Controller
{
public function testAction()
{
$model = new Product();
$model->title = '"><b>foobar</b>';
$form = new Phalcon\Forms\Form($model);
$form->add(new Phalcon\Forms\Element\Text('title'));
$this->view->form = $form;
}
}
And the view:
{{ form.render('title') }}
And the result:
<input type="text" value=""><b>foobar</b>" name="title" id="title" />
You can use html_entity_decode($form->render('fieldname')) , but this is overhead. Another solution is to override $form->render method. Again overhead :)
public function render($name, $attributes = null) {
$rendered = parent::render($name, $attributes);
$search = array(
'/\&#34;/', // double quotes
'/\&#39;/', // single quote
);
$replace = array(
'"',
'’'
);
$rendered = preg_replace($search, $replace, $rendered);
return $rendered;
}