Where is this code from? Your own code? Why would you want to call Input::post() in a form, that is very bad coding practice, a View should not contain any logic.
We develop on 7.0.18, and haven't seen any error of this kind, in any of our apps.
Form::input() requires a string as second argument, as per the documentation. you are passing an array here, because you've commented out the second argument.
Now that I see what you do, it is even worse. By using Input::post() in your View, you bypass every security mechanism in Fuel. Your application is wide open for almost every injection attack.
NEVER use posted input unscreened, unvalidated and unencoded in a view !!!
Thank you for your suggestion. However, the code is generated by oil command. so, I reuse it. Instead of input::post(), I better use like val->valided(). Well I will replace it tomorrow.
But even if you don't validate, passing Input::post() from the controller into the View would cause all input data to be encoded, and rendered harmless,
Correct. Anything you pass to the View object is encoded by default, including ORM objects. So any injected javascript (for example) is rendered harmless.
The third argument is true by default, it is configured in your config.php ("security.auto_filter_output").
A lot of frameworks filter on input. We believe that doing that will potentially make it slow (depending on the filter level) and will potentially alter the data (by stripping for example). So we don't do that, instead, we encode on output. This has the added benefit of rendering any data harmless, no matter where it comes from.
As a developer you can always decide to filter and strip as part of your input validation.
Donate
