diff options
| -rw-r--r-- | modules/forge/libraries/Form_Checkbox.php | 2 | ||||
| -rw-r--r-- | modules/forge/libraries/Form_Checklist.php | 2 | ||||
| -rw-r--r-- | modules/forge/libraries/Form_Group.php | 2 | ||||
| -rw-r--r-- | system/helpers/form.php | 19 |
4 files changed, 16 insertions, 9 deletions
diff --git a/modules/forge/libraries/Form_Checkbox.php b/modules/forge/libraries/Form_Checkbox.php index b94fc438..aded4fdf 100644 --- a/modules/forge/libraries/Form_Checkbox.php +++ b/modules/forge/libraries/Form_Checkbox.php @@ -68,7 +68,7 @@ class Form_Checkbox_Core extends Form_Input { $label = ' '.ltrim($label); } - return '<label>'.form::input($data).$label.'</label>'; + return '<label>'.form::input($data).html::clean($label).'</label>'; } protected function load_value() diff --git a/modules/forge/libraries/Form_Checklist.php b/modules/forge/libraries/Form_Checklist.php index 99b455bd..4536d396 100644 --- a/modules/forge/libraries/Form_Checklist.php +++ b/modules/forge/libraries/Form_Checklist.php @@ -67,7 +67,7 @@ class Form_Checklist_Core extends Form_Input { $data['value'] = $val; $data['checked'] = $checked; - $checklist .= '<li><label>'.form::checkbox($data).' '.$title.'</label></li>'.$nl; + $checklist .= '<li><label>'.form::checkbox($data).' '.html::purify($title).'</label></li>'.$nl; } $checklist .= '</ul>'; diff --git a/modules/forge/libraries/Form_Group.php b/modules/forge/libraries/Form_Group.php index 29eff510..e0601321 100644 --- a/modules/forge/libraries/Form_Group.php +++ b/modules/forge/libraries/Form_Group.php @@ -57,7 +57,7 @@ class Form_Group_Core extends Forge { { if ($label = $this->data['label']) { - return $this->data['label']; + return html::purify($this->data['label']); } } else diff --git a/system/helpers/form.php b/system/helpers/form.php index ce8767c5..815eef84 100644 --- a/system/helpers/form.php +++ b/system/helpers/form.php @@ -283,15 +283,21 @@ class form_Core { // Inner key should always be a string $inner_key = (string) $inner_key; - $sel = in_array($inner_key, $selected) ? ' selected="selected"' : ''; - $input .= '<option value="'.$inner_key.'"'.$sel.'>'.$inner_val.'</option>'."\n"; + $attr = array('value' => $inner_key); + if (in_array($inner_key, $selected)) { + $attr['selected'] = 'selected'; + } + $input .= '<option '.html::attributes($attr).'>'.html::purify($inner_val).'</option>'."\n"; } $input .= '</optgroup>'."\n"; } else { - $sel = in_array($key, $selected) ? ' selected="selected"' : ''; - $input .= '<option value="'.$key.'"'.$sel.'>'.$val.'</option>'."\n"; + $attr = array('value' => $key); + if (in_array($key, $selected)) { + $attr['selected'] = 'selected'; + } + $input .= '<option '.html::attributes($attr).'>'.html::purify($val).'</option>'."\n"; } } $input .= '</select>'; @@ -410,8 +416,9 @@ class form_Core { { $value = arr::remove('value', $data); } + // $value must be ::purify - return '<button'.form::attributes($data, 'button').' '.$extra.'>'.$value.'</button>'; + return '<button'.form::attributes($data, 'button').' '.$extra.'>'.html::purify($value).'</button>'; } /** @@ -455,7 +462,7 @@ class form_Core { $text = ucwords(inflector::humanize($data['for'])); } - return '<label'.form::attributes($data).' '.$extra.'>'.$text.'</label>'; + return '<label'.form::attributes($data).' '.$extra.'>'.html::purify($text).'</label>'; } /** |