xoops forums

McDonald

Home away from home
Posted on: 2007/12/31 21:36
McDonald
McDonald (Show more)
Home away from home
Posts: 1072
Since: 2005/8/15
#1

Losing formatting in lang-constants after applying 2.2.6RC

After applying this RC (2.2.5 to 2.2.6rc) language constants with html get displayed unformatted when using 'insertBreak' form. The language constants:
define"_AM_XTUBE_VIDEO_DLURL_NOTE1""<small>(video id-code = http://www.youtube.com/watch?v=<fo ... ;IsOtq-qCqZ4</font>)</small>" );
define"_AM_XTUBE_VIDEO_DLURL_NOTE2""<small>(video id-code = http://www.metacafe.com/watch/<fon ... water_robot</font>/)</small>" );
define"_AM_XTUBE_VIDEO_DLURL_NOTE3""<small>(video id-code = http://www.ifilm.com/video/<font&n ... 0>2718605</font>)</small>" );
define"_AM_XTUBE_VIDEO_DLURL_NOTE4""<small>(video id-code = http://i39.photobucket.com/albums/< ... BigSquid</font>.jpg)</small>" );
PHP-code:
$sform -> addElement( new XoopsFormText_AM_XTUBE_VIDEO_DLURL'url'70512$url ), true);
    
$note _AM_XTUBE_VIDEO_DLURL_NOTE1 "<br />" _AM_XTUBE_VIDEO_DLURL_NOTE2 "<br />" _AM_XTUBE_VIDEO_DLURL_NOTE3 "<br />" _AM_XTUBE_VIDEO_DLURL_NOTE4;
    
$sform -> insertBreaksprintf$note ), "even");
Will submit this as a bug at SourceForge.

vaughan

Friend of XOOPS
Posted on: 2008/1/2 22:17
vaughan
vaughan (Show more)
Friend of XOOPS
Posts: 684
Since: 2005/11/26
#2

Re: Losing formatting in lang-constants after applying 2.2.6RC

that's because they added htmlspecialchars to the $extra tag in function insertbreak(), which now basicly works opposite to how it should and a few modules will not function correctly including formulize.

either remove the htmlspecialchars from the extra tag or you need to add a html_entity_decode to it.
or better still create an extra tag for insertBreak function which can decide whether to use htmlspecialchars() or not.

the use of htmlspecialchars in insertbreak imo is used incorrectly and can be a nuisance to scripts that use proper sanitation already. and there are times when you may need javascript or other html to be passed through insertbreak, but as it stands now, you're out of luck without either modifying the insertbreak function or asking all the module developers to also change their modules so that they work properly with insertbreak.

Catzwolf

Home away from home
Posted on: 2008/1/3 7:38
Catzwolf
Catzwolf (Show more)
Home away from home
Posts: 1392
Since: 2007/9/30
#3

Re: Losing formatting in lang-constants after applying 2.2.6RC

Monty,

I have to agree with you that htmlspecialChar is being used incorrectly and a proper fix should be used instead of this half ass approach.

Basically all these so called fixes should be removed asap.

Catz

vaughan

Friend of XOOPS
Posted on: 2008/1/3 20:34
vaughan
vaughan (Show more)
Friend of XOOPS
Posts: 684
Since: 2005/11/26
#4

Re: Losing formatting in lang-constants after applying 2.2.6RC

cheers John, at least you're also on the right page as me :)

Quote:
from 2.0.18 release notes:

Added sanitizing to XOOPS form elements to avoid XSS


if adding htmlspecialchars to form elements is classed as sanitizing then i'm stumped.

htmlspecialchars() isn't for sanitizing, it is for preventing user-inputted text from containing HTML markup tags.

note: prevention is not sanitizing.. sanitizing means to clean the text from malicious code etc, not to prevent html from being parsed.

so if you want to prevent html from being inputted by the user then by all means use htmlspecialchars.. but if you actually want to sanitize (clean) the users input of html then do not use htmlspecialchars.. i can't understand the reasoning behind it's use at all in many places on 2.0.18.

sanitize the input properly and there'd be no reason to prevent html in this case with htmlspecialchars.