FuelPHP form field value converts some character into HTML entities

0
votes

I have strange behavior in FuelPHP. I generate form field with FuelPHP Form::input() method. The problem is that some characters get converted into HTML entities. For example character š gets converted into š. The form field generation code can be seen below and the output can be seen on the picture (the first output is just the plain html text). 

<?php echo $user->profile_fields['firstname']; ?> 
<?php echo Form::input('firstname', Input::post('firstname', isset($user->profile_fields['firstname']) ? $user->profile_fields['firstname'] : '')); ?>

enter image description here

The weirdest thing is this only happens in the form field where the value is read from profile_fields DB field in user table ($user->profile_fields['firstname']). Profile_fields is standard MySQL text field in user table used by SimpleAuth driver. This field holds serialized key=>value pairs of user information like firstname, lastname, address and so on... If I read the same value from non-serialized field in DB and create form field with this value then it will be displayed properly.

I use utf8_unicode_ci collation and encoding in my DB setup, and FuelPHP locale and encoding is also set properly to UTF-8.

UPDATE1: take a look at this:

//values read from MySQL DB, via FuelPHP orm, unserialized
echo $user->profile_fields['firstname'] . ' ' . $user->profile_fields['lastname'];
echo '<br>';

//same values serialized and assigned to PHP array var
$test = serialize(array('firstname'=>'Urška', 'lastname'=>'Neumüller'));
var_dump($test);

echo '<br>';
$test2 = unserialize($test);
var_dump($test2);

echo '<br>';
echo '<input type="text" value="'.$test2['firstname'].'">';
echo '<input type="text" value="'.$test2['lastname'].'">';

echo '<br>';
echo '<input type="text" value="'.htmlspecialchars($test2['firstname']).'">';
echo '<input type="text" value="'.htmlspecialchars($test2['lastname']).'">';

echo '<br>';
echo '<input type="text" value="'.$user->profile_fields['firstname'].'">';
echo '<input type="text" value="'.$user->profile_fields['lastname'].'">';

echo '<br>';
echo '<input type="text" value="'.htmlspecialchars($user->profile_fields['firstname']).'">';
echo '<input type="text" value="'.htmlspecialchars($user->profile_fields['lastname']).'">';

htmlspecialchars is used here because FuelPHP Form class use it when generating a form field and is the cause for some characters being converted into HTML entities.

output:

enter image description here

Is this problem in DB, PHP, FuelPHP... I am completely lost here!

2
formsencodinghtml-entitiesfuelphp

2 Answers

2
votes

You have to look very clearly at what you are doing.

FuelPHP by default encodes on output, meaning all data you send to a view will be html encoded. In this case, $user, which is send from the controller to the view, will be encoded.

Your $test2 array is created INSIDE the view, and will therefore not be encoded.

Now, when you use a value of $user in Form::input(), the value will be prepped (as Frank correctly mentioned), which will encode again. As an example, "&amp;" will be converted to "&amp;amp;", and will lead to the behaviour you describe. Same if you manually encode a value from $user, as your example shows.

So:

  • pass the variable to the view without encoding (might be dangerous!)
  • disable prepping as Frank described
  • upgrade to the latest 1.1/develop branch, which has double encoding disabled by default
0
votes

Normally special characters are encoded on output, for security reasons. You can turn that off if you set the form condig param prep_value to false or supply the input field an attr of "dont_prep" => true.