Merge pull request #1327 from nowackipawel/patch-11

lonnieezell · web-flow · commit f27b8d1f8f43 · 2018-10-18T23:12:36.000-05:00
FIX   form_hidden and form_open - value escaping as is in form_input.
diff --git a/system/Helpers/form_helper.php b/system/Helpers/form_helper.php
@@ -92,7 +92,7 @@ function form_open(string $action = '', $attributes = [], array $hidden = []): s
 		{
 			foreach ($hidden as $name => $value)
 			{
-				$form .= '<input type="hidden" name="' . $name . '" value="' . $value . '" style="display: none;" />' . "\n";
+				$form .= '<input type="hidden" name="' . $name . '" value="' . esc($value,'html') . '" style="display: none;" />' . "\n";
 			}
 		}
 
@@ -171,7 +171,7 @@ function form_hidden($name, $value = '', bool $recursing = false): string
 
 		if ( ! is_array($value))
 		{
-			$form .= '<input type="hidden" name="' . $name . '" value="' . $value . "\" />\n";
+			$form .= '<input type="hidden" name="' . $name . '" value="' . esc($value,'html') . "\" />\n";
 		}
 		else
 		{

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,7 @@ function form_open(string $action = '', $attributes = [], array $hidden = []): s`
`92`	`92`	`{`
`93`	`93`	`foreach ($hidden as $name => $value)`
`94`	`94`	`{`
`95`		`- $form .= '<input type="hidden" name="' . $name . '" value="' . $value . '" style="display: none;" />' . "\n";`
	`95`	`+ $form .= '<input type="hidden" name="' . $name . '" value="' . esc($value,'html') . '" style="display: none;" />' . "\n";`
`96`	`96`	`}`
`97`	`97`	`}`
`98`	`98`
`@@ -171,7 +171,7 @@ function form_hidden($name, $value = '', bool $recursing = false): string`
`171`	`171`
`172`	`172`	`if ( ! is_array($value))`
`173`	`173`	`{`
`174`		`- $form .= '<input type="hidden" name="' . $name . '" value="' . $value . "\" />\n";`
	`174`	`+ $form .= '<input type="hidden" name="' . $name . '" value="' . esc($value,'html') . "\" />\n";`
`175`	`175`	`}`
`176`	`176`	`else`
`177`	`177`	`{`