form_input double escaping data why ?

[crustamet]

hello i use this function form_input from the form helper like this, i don't know what i am doing wrong and don`t know if this is a bug or not but please test this.

$input_attrs = array();
$input_attrs['name'] = 'contact_name';
$input_attrs['type'] = 'text';
$input_attrs['value'] = set_value('contact_name');

echo form_input($input_attrs);

and when i put this value in the input

<script>alert("test")</script>

it returns this :

<script>alert("test")</script>

instead of :

<script>alert("test")</script>

But when i use without the form_input function and use it like this

<input type="text" name="contact_name" value="<?=set_value('contact_name')?>">

it returns good escaped data

<script>alert("test")</script>

[crustamet]

This was the worst thing happening in codeigniter 3 also :( horror stuff.. xD

This needs to end right ?

[lonnieezell]

I'm a bit confused about how this is bad: <script>alert("test")</script> and this is good <script>alert("test")</script>?

If someone is inputting a script in your form it should be caught and dealt with so that it does not execute when the form is redisplayed, or the data viewed. When the data is displayed in the input it is automatically escaped to make it safe. That's why you're seeing that.

[crustamet]

Hello again, i edited the problem so you guys can check please take this error bug into consideration, because on all other platforms this works and on this does not.