Re: Protector doesn't like & # 3 9 ; [Module troubleshooting]

1

Protector doesn't like & # 3 9 ;

2011/10/17 14:55
JCash
Just popping in
Posts: 66
Since: 2011/2/22

When I enter something like that in my custom block :

I'am just a singer of song

Protector replies SQL INJECTION FOUND and in details :
Quote:

UPDATE x22e_newblocks SET options='', name='Bloc personnalisé (Format auto sans smileys)', isactive=1, title='[My Title block]', content='<h4>I & # 3 9 ; m a singer of songs</h4>', side=5, weight=99, visible=0, c_type='', template='', bcachetime=0, last_modified=1318862418 WHERE bid=67

I use many hacks so it is not a bug, just something very annoying for me :

1. I use CKEditor by default in all my blocks

For that I had to replace into class/xoopsform/formdhtmltextarea.php :


//var $htmlEditor = array();

by :


var $htmlEditor = array( 'XoopsFormCkeditor', '/class/xoopseditor/ckeditor/ckeditor.php' );

PS : I know there is an option to do that directly from System preferences, but ... it does not work (CKEditor is not displayed instead of standard editor)

2. I use <{block id = 67}> to display my block

Is there something to do to save my " & # 3 9 ; " ?

Thanks

2

Re: Protector doesn't like & # 3 9 ;

2011/10/17 15:10
JCash
Just popping in
Posts: 66
Since: 2011/2/22

More information :

> it seems to be related to class/smarty/xoops_plugins/function.block.php file (because usual blocks work with simple quote)

> all entities for simple quote are banned :
& # 3 9 ;
& # 0 3 9 ;
& # x 2 7 ;

> exceptions seem allowed into Protector ('protector/library/HTMLPurifier/Lexer.php')


/**

     * Most common entity to raw value conversion table for special entities.

     */

    protected $_special_entity2str =

            array(

                    '"' => '"',

                    '&amp;'  => '&',

                    '<'   => '<',

                    '>'   => '>',

                    '&#39;'  => "'",

                    ''' => "'",

                    '&#x27;' => "'"

            );

> Xoops 2.5.3 and CKEditor 3.6 : with Xoops 2.5.1 and the same CKE version, there is no trouble

3

Re: Protector doesn't like & # 3 9 ;

2011/10/17 18:52
trabis
Core Developer
Posts: 2269
Since: 2006/9/1 1

Quote:

JCash wrote:

1. I use CKEditor by default in all my blocks

You need to tell your editor to not post html entities. Entities are for displaying, not to save on database.

The post string should look like this: "I'm a singer of songs"
The query (look at debug) should look like this: "I\'m a singer of songs" (core will escape the single quote)

LatinoPoemas

4

Re: Protector doesn't like & # 3 9 ;

2011/10/17 20:16
JCash
Just popping in
Posts: 66
Since: 2011/2/22

Thanks trabis !

Just add
Quote:

config.entities = false;

... into ckeditor/configs.js

Solved

5

Re: Protector doesn't like & # 3 9 ;

2011/10/17 20:17
trabis
Core Developer
Posts: 2269
Since: 2006/9/1 1

Quote:

JCash wrote:
Thanks trabis !

Just add
Quote:
config.entities = false;

... into ckeditor/configs.js

Solved

Wow, that was simple!

LatinoPoemas

6

Re: Protector doesn't like & # 3 9 ;

2011/10/17 20:19
JCash
Just popping in
Posts: 66
Since: 2011/2/22

yeah

CKeditor is very popular tool, so it is more than easy to find an answer. Te most difficult thing is to ask the good question

Stats
Goal:	$100.00
Due Date:	May 31
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Protector doesn't like & # 3 9 ;

Re: Protector doesn't like & # 3 9 ;

Re: Protector doesn't like & # 3 9 ;

Re: Protector doesn't like & # 3 9 ;

Re: Protector doesn't like & # 3 9 ;

Re: Protector doesn't like & # 3 9 ;

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}