1
McDonald
Losing formatting in lang-constants after applying 2.2.6RC
  • 2007/12/31 21:36

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


After applying this RC (2.2.5 to 2.2.6rc) language constants with html get displayed unformatted when using 'insertBreak' form. The language constants:
define"_AM_XTUBE_VIDEO_DLURL_NOTE1""(video id-code = http://www.youtube.com/watch?v=IsOtq-qCqZ4));
define"_AM_XTUBE_VIDEO_DLURL_NOTE2""(video id-code = http://www.metacafe.com/watch/191543/sperm_whale_encounters_underwater_robot/));
define"_AM_XTUBE_VIDEO_DLURL_NOTE3""(video id-code = http://www.ifilm.com/video/2718605));
define"_AM_XTUBE_VIDEO_DLURL_NOTE4""(video id-code = http://i39.photobucket.com/albums/e168/vailtom/th_BigSquid.jpg));
PHP-code:
$sform -> addElement( new XoopsFormText_AM_XTUBE_VIDEO_DLURL'url'70512$url ), true);
    
$note _AM_XTUBE_VIDEO_DLURL_NOTE1 "_AM_XTUBE_VIDEO_DLURL_NOTE2 "_AM_XTUBE_VIDEO_DLURL_NOTE3 "_AM_XTUBE_VIDEO_DLURL_NOTE4;
    
$sform -> insertBreaksprintf$note ), "even");
Will submit this as a bug at SourceForge.

2
vaughan
Re: Losing formatting in lang-constants after applying 2.2.6RC
  • 2008/1/2 22:17

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


that's because they added htmlspecialchars to the $extra tag in function insertbreak(), which now basicly works opposite to how it should and a few modules will not function correctly including formulize.

either remove the htmlspecialchars from the extra tag or you need to add a html_entity_decode to it.
or better still create an extra tag for insertBreak function which can decide whether to use htmlspecialchars() or not.

the use of htmlspecialchars in insertbreak imo is used incorrectly and can be a nuisance to scripts that use proper sanitation already. and there are times when you may need javascript or other html to be passed through insertbreak, but as it stands now, you're out of luck without either modifying the insertbreak function or asking all the module developers to also change their modules so that they work properly with insertbreak.

3
Catzwolf
Re: Losing formatting in lang-constants after applying 2.2.6RC
  • 2008/1/3 7:38

  • Catzwolf

  • Home away from home

  • Posts: 1392

  • Since: 2007/9/30


Monty,

I have to agree with you that htmlspecialChar is being used incorrectly and a proper fix should be used instead of this half ass approach.

Basically all these so called fixes should be removed asap.

Catz

4
vaughan
Re: Losing formatting in lang-constants after applying 2.2.6RC
  • 2008/1/3 20:34

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


cheers John, at least you're also on the right page as me :)

Quote:
from 2.0.18 release notes:

Added sanitizing to XOOPS form elements to avoid XSS


if adding htmlspecialchars to form elements is classed as sanitizing then i'm stumped.

htmlspecialchars() isn't for sanitizing, it is for preventing user-inputted text from containing HTML markup tags.

note: prevention is not sanitizing.. sanitizing means to clean the text from malicious code etc, not to prevent html from being parsed.

so if you want to prevent html from being inputted by the user then by all means use htmlspecialchars.. but if you actually want to sanitize (clean) the users input of html then do not use htmlspecialchars.. i can't understand the reasoning behind it's use at all in many places on 2.0.18.

sanitize the input properly and there'd be no reason to prevent html in this case with htmlspecialchars.

Login

Who's Online

410 user(s) are online (52 user(s) are browsing Support Forums)


Members: 0


Guests: 410


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Oct 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits