value in input field

Hello, all!

How to output string with double quotes in input field??? How to escaping double quotes before displaying the value?



84.5k

Values are automatically escaped by Phalcon\Tag:

This code: ```php $tag = new Phalcon\Tag();

$tag->setDefault('name', '"my name"');

echo $tag->textField('name'); ```

Produces: ```html <input type="text" name="name" id="name" value="&#x22;my name&#x22;" /> ```



26.0k

but I'm using the form elements through: {{ form.render('element_name') }}



84.5k

Phalcon\Forms and the built-in elements also use Phalcon\Tag to generate the HTML, so the result would be same



26.0k

but generate <input type="text" class="input-xlarge" value="some "text""="" name="name" id="name">



26.0k

Sorry for the typo <input type="text" value="some "text"" name="contactname" id="contactname" />

The same is happening to me. Is there a resolution?

I have this same problem using a form bound to a model entity and printing with {{ form.render }}. If I enter some XSS code in the form, post it, and show the form bound to both the entity and the $POST data, it is escaped correctly. But after saving the code to the database and retrieving the same entity for editing the escaping fails. So it seems like the form.render only escapes the $POST data but not the data coming from the model entity. Using v1.2.3-65 from FortRabbit Debian Repository.

Here's a quick test:

class Product extends \Phalcon\Mvc\Model { public $title; }
class ProductsController extends \Phalcon\Mvc\Controller
{
    public function testAction()
    {
        $model = new Product();
        $model->title = '"><b>foobar</b>';

        $form = new Phalcon\Forms\Form($model);
        $form->add(new Phalcon\Forms\Element\Text('title'));

        $this->view->form = $form;
    }   
}

And the view:

{{ form.render('title') }}

And the result:

<input type="text" value=""><b>foobar</b>" name="title" id="title" />


84.5k

This is fixed in the 1.3.0 branch

Yes, this seems to be fixed in 1.3.0... but it seems that Tag::setDefault() is now broken with double escaping. For example foo'>bar transforms to foo&amp;#039;&amp;gt;bar after posting, using setDefault() and volt text_field().

Yes. Same problem here.

edited Apr '14

You can use htmlentitydecode($form->render('fieldname')) , but this is overhead. Another solution is to override $form->render method. Again overhead :)

 public function render($name, $attributes = null) {

    $rendered = parent::render($name, $attributes);

    $search = array(
        '/\&amp;#34;/', // double quotes
        '/\&amp;#39;/', // single quote
    );

    $replace = array(
        '&quot;',
        '&rsquo;'
    );

    $rendered = preg_replace($search, $replace, $rendered);
    return $rendered;

}