CodeIgniter 3 + unwanted displaying of symbols as HTML code

I had posted this question in the CodeIgniter forums with no success, so I thought there might be someone here who knows the answer.

I have a registration form, an edit registration form, and a display of the info from the form. Entering a last name such as “O’Brian” would result in O'Brian being inserted into the database, and showing up in the input field of the edit form. It did however display correctly.

My meta tag in the head was set to utf-8, and my text editor also was set to utf-8. But for some reason my database COLLATION was set to latin1_swedish_ci by mistake (I have no idea how that happened :blush:). I fixed that - changed my database, all the tables and all the relevant fields to utf8_general_ci.

Now the symbols are entered into the database correctly, but the HTML code (') is still appearing when the edit form is pre-populated.

One suggestion was “stop using global_xss_filtering, xss_clean() (you probably have that as a form validation rule)”. This is my only validation rule for that input:

$this->form_validation->set_rules('last_name', '<span>"Last Name"</span>', 'required'); 

And I have $config[‘global_xss_filtering’] = FALSE; in my config.php file.

Another suggestion was that I was doing some HTML escaping in my code - I am not.

Here is my form input:

<div class="form-control">
     <?php echo form_label('Last Name: ', 'last_name'); ?><br />
     <?php
          $attributes = array(
               'id' => 'last_name',
               'name' => 'last_name',
               'value' => set_value('last_name', $client->last_name)
          );
         echo form_input($attributes);
     ?>
</div> <!-- end of .form-control --> 

My $data array element from the controller:

'client' =>$this->registration_model->get_single_client($_SESSION['client_id']), 

and the database query from the model:

 public function get_single_client($client_id) {
 
 $this->db->where('id', $client_id);
 $query = $this->db->get('clients');
 
 return $query->row();
 
 } 

Is there anything else I should be looking at? I really don’t want the user to have to keep seeing the HTML code.

1 Like

Problem solved finally! In my $attributes array, the set_value has an optional parameter (boolean) that will turn off HTML escaping of the value. So I just changed that line to

'value' => set_value('last_name', $client->last_name, FALSE)

I’m a bit concerned about security, but this is a private application used only within the organization.

1 Like

<offtopic>
latin1_swedish_ci used to be the default I believe.
</offtopic>

escaping has nothing to do with security so the security aspects are unchanged - if you are worried now then you should have been equally worried before making the change

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.