After applying this RC (2.2.5 to 2.2.6rc) language constants with html get displayed unformatted when using 'insertBreak' form. The language constants: PHP-code: Will submit this as a bug at SourceForge.

that's because they added htmlspecialchars to the $extra tag in function insertbreak(), which now basicly works opposite to how it should and a few modules will not function correctly including formulize.

either remove the htmlspecialchars from the extra tag or you need to add a html_entity_decode to it.
or better still create an extra tag for insertBreak function which can decide whether to use htmlspecialchars() or not.

the use of htmlspecialchars in insertbreak imo is used incorrectly and can be a nuisance to scripts that use proper sanitation already. and there are times when you may need javascript or other html to be passed through insertbreak, but as it stands now, you're out of luck without either modifying the insertbreak function or asking all the module developers to also change their modules so that they work properly with insertbreak.

Monty,

I have to agree with you that htmlspecialChar is being used incorrectly and a proper fix should be used instead of this half ass approach.

Basically all these so called fixes should be removed asap.

Catz

cheers John, at least you're also on the right page as me :)

Quote:

if adding htmlspecialchars to form elements is classed as sanitizing then i'm stumped.

htmlspecialchars() isn't for sanitizing, it is for preventing user-inputted text from containing HTML markup tags.

note: prevention is not sanitizing.. sanitizing means to clean the text from malicious code etc, not to prevent html from being parsed.

so if you want to prevent html from being inputted by the user then by all means use htmlspecialchars.. but if you actually want to sanitize (clean) the users input of html then do not use htmlspecialchars.. i can't understand the reasoning behind it's use at all in many places on 2.0.18.

sanitize the input properly and there'd be no reason to prevent html in this case with htmlspecialchars.