value in input field

Question

value in input field

Farkhod Jul '13

Created Jul '13	Last Reply Apr '14	Replies 9	Views 2224	Votes 1

Farkhod 42.1k

Jul '13

Hello, all!

How to output string with double quotes in input field??? How to escaping double quotes before displaying the value?

1

Phalcon · Answer 1 · 2013-07-15T11:07:46-07:00

Values are automatically escaped by Phalcon\Tag:

This code:

$tag = new Phalcon\Tag();

$tag->setDefault('name', '"my name"');

echo $tag->textField('name');

Produces:

<input type="text" name="name" id="name" value="&#x22;my name&#x22;" />

Farkhod · Answer 2 · 2013-07-15T19:54:13-07:00

Farkhod
42.1k

Jul '13

but I'm using the form elements through: {{ form.render('element_name') }}

Phalcon · Answer 3 · 2013-07-16T07:53:08-07:00

Phalcon\Forms and the built-in elements also use Phalcon\Tag to generate the HTML, so the result would be same

Farkhod · Answer 4 · 2013-07-18T04:25:39-07:00

but generate <input type="text" class="input-xlarge" value="some "text""="" name="name" id="name">

Farkhod · Answer 5 · 2013-07-18T04:27:05-07:00

Sorry for the typo <input type="text" value="some "text"" name="contact_name" id="contact_name" />

Daniel Arroyo · Answer 6 · 2013-08-16T21:28:49-07:00

Daniel Arroyo
1.1k

Aug '13

The same is happening to me. Is there a resolution?

Mika Tähtinen · Answer 7 · 2013-09-06T10:22:34-07:00

I have this same problem using a form bound to a model entity and printing with {{ form.render }}. If I enter some XSS code in the form, post it, and show the form bound to both the entity and the $_POST data, it is escaped correctly. But after saving the code to the database and retrieving the same entity for editing the escaping fails. So it seems like the form.render only escapes the $_POST data but not the data coming from the model entity. Using v1.2.3-65 from FortRabbit Debian Repository.

Mika Tähtinen · Answer 8 · 2013-09-06T10:42:17-07:00

Here's a quick test:

class Product extends \Phalcon\Mvc\Model { public $title; }
class ProductsController extends \Phalcon\Mvc\Controller
{
    public function testAction()
    {
        $model = new Product();
        $model->title = '"><b>foobar</b>';

        $form = new Phalcon\Forms\Form($model);
        $form->add(new Phalcon\Forms\Element\Text('title'));

        $this->view->form = $form;
    }   
}

And the view:

{{ form.render('title') }}

And the result:

<input type="text" value=""><b>foobar</b>" name="title" id="title" />

Phalcon · Answer 9 · 2013-09-06T10:51:46-07:00

Phalcon
98.9k

Sep '13

This is fixed in the 1.3.0 branch

Mika Tähtinen · Answer 10 · 2013-09-21T09:22:53-07:00

Yes, this seems to be fixed in 1.3.0... but it seems that Tag::setDefault() is now broken with double escaping. For example foo'>bar transforms to foo'>bar after posting, using setDefault() and volt text_field().

Jimmy Chandra · Answer 11 · 2013-09-25T00:42:26-07:00

Jimmy Chandra
21.5k

Sep '13

Yes. Same problem here.

Dimitar Slavchev · Answer 12 · 2014-04-15T04:35:31-07:00

You can use html_entity_decode($form->render('fieldname')) , but this is overhead. Another solution is to override $form->render method. Again overhead :)

 public function render($name, $attributes = null) {

    $rendered = parent::render($name, $attributes);

    $search = array(
        '/\&amp;#34;/', // double quotes
        '/\&amp;#39;/', // single quote
    );

    $replace = array(
        '&quot;',
        '&rsquo;'
    );

    $rendered = preg_replace($search, $replace, $rendered);
    return $rendered;

}