Escaping output in CI4 about opensourcepos HOT 5 CLOSED

I'm pushing a proof of concept to the ci4-branch. Take a look at the form_basic_info.php and how it interacts with the Customer info view.

from opensourcepos.

The idea is that we have a modified esc() function called esc_safe() which checks to see if the string is already encoded and only runs esc() against it if it's not already encoded. Then the result of that is wrapped in a modified version of html_entity_decode() called html_limited_decode() which takes a string and an array of safe characters. It then only decodes html entities for those characters. Take this example:

<div class="form-group form-group-sm">
	<?= form_label(lang('Common.first_name'), 'first_name', ['class' => 'required control-label col-xs-3']) ?>
	<div class='col-xs-8'>
		<?= form_input ([
			'name' => 'first_name',
			'id' => 'first_name',
			'class' => 'form-control input-sm',
			'value' => html_limited_decode(esc_safe($person_info->first_name), ['\''])
		]) ?>
	</div>
</div>

Since the only html entity character we want to not be encoded is the single quote, that's all that appears in safe characters.

from opensourcepos.

CI is just using laminas/laminas-escaper and in the html context laminas-escaper is just calling htmlspecialchars() which has the optional bool $double_encode = true parameter. I submitted a PR to laminas laminas/laminas-escaper#54

It may take awhile to get it into CI4

from opensourcepos.

in the meantime the esc_safe() function needs a little more work because currently it's escaping everything when just one character is able to be escaped instead of a true not double-encoding... I think until laminas and ci get my PR into the code, we may need to skip esc() all together and just call htmlspecialchars directly. This is only acceptable in the html context.

from opensourcepos.

Nevermind. esc() does not need to be called inside any of the functions in the form helper https://codeigniter.com/user_guide/helpers/form_helper.html

from opensourcepos.