XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Modules Support forums / 
  3. Module troubleshooting 
  4.  / Protector doesn't like & # 3 9 ;
Register
1
JCash
Protector doesn't like & # 3 9 ;

  • 2011/10/17 14:55

  • JCash

  • Just popping in

  • Posts: 66

  • Since: 2011/2/22


When I enter something like that in my custom block :

I'am just a singer of song

Protector replies SQL INJECTION FOUND and in details :
Quote:
UPDATE x22e_newblocks SET options='', name='Bloc personnalisé (Format auto sans smileys)', isactive=1, title='[My Title block]', content='

I & # 3 9 ; m a singer of songs

', side=5, weight=99, visible=0, c_type='', template='', bcachetime=0, last_modified=1318862418 WHERE bid=67


I use many hacks so it is not a bug, just something very annoying for me :


1. I use CKEditor by default in all my blocks

For that I had to replace into class/xoopsform/formdhtmltextarea.php :

//var $htmlEditor = array();

by :
var $htmlEditor = array( 'XoopsFormCkeditor''/class/xoopseditor/ckeditor/ckeditor.php' );


PS : I know there is an option to do that directly from System preferences, but ... it does not work (CKEditor is not displayed instead of standard editor)


2. I use <{block id = 67}> to display my block


Is there something to do to save my " & # 3 9 ; " ?

Thanks
2
JCash
Re: Protector doesn't like & # 3 9 ;

  • 2011/10/17 15:10

  • JCash

  • Just popping in

  • Posts: 66

  • Since: 2011/2/22


More information :

> it seems to be related to class/smarty/xoops_plugins/function.block.php file (because usual blocks work with simple quote)

> all entities for simple quote are banned :
& # 3 9 ;
& # 0 3 9 ;
& # x 2 7 ;

> exceptions seem allowed into Protector ('protector/library/HTMLPurifier/Lexer.php')
/**
     * Most common entity to raw value conversion table for special entities.
     */
    protected $_special_entity2str =
            array(
                    '"' => '"',
                    '&'  => '&',
                    '<'   => '<',
                    '>'   => '>',
                    '''  => "'",
                    ''' => "'",
                    ''' => "'"
            );


> Xoops 2.5.3 and CKEditor 3.6 : with Xoops 2.5.1 and the same CKE version, there is no trouble
3
trabis
Re: Protector doesn't like & # 3 9 ;

  • 2011/10/17 18:52

  • trabis

  • Core Developer

  • Posts: 2269

  • Since: 2006/9/1 1


Quote:

JCash wrote:

1. I use CKEditor by default in all my blocks


You need to tell your editor to not post html entities. Entities are for displaying, not to save on database.

The post string should look like this: "I'm a singer of songs"
The query (look at debug) should look like this: "I\'m a singer of songs" (core will escape the single quote)

4
JCash
Re: Protector doesn't like & # 3 9 ;

  • 2011/10/17 20:16

  • JCash

  • Just popping in

  • Posts: 66

  • Since: 2011/2/22


Thanks trabis !

Just add
Quote:
config.entities = false;

... into ckeditor/configs.js

Solved
5
trabis
Re: Protector doesn't like & # 3 9 ;

  • 2011/10/17 20:17

  • trabis

  • Core Developer

  • Posts: 2269

  • Since: 2006/9/1 1


Quote:

JCash wrote:
Thanks trabis !

Just add
Quote:
config.entities = false;

... into ckeditor/configs.js

Solved


Wow, that was simple!
6
JCash
Re: Protector doesn't like & # 3 9 ;

  • 2011/10/17 20:19

  • JCash

  • Just popping in

  • Posts: 66

  • Since: 2011/2/22


yeah

CKeditor is very popular tool, so it is more than easy to find an answer. Te most difficult thing is to ask the good question

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

382 user(s) are online (294 user(s) are browsing Support Forums)

Members: 0

Guests: 382

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits