| |
chatGPZ
Registered: Dec 2001
Posts: 11293 |
quoting bug
when i use quotes in a forum message this happens
"this is quoted"
|
|
... 34 posts hidden. Click here to view all posts....
|
| |
chatGPZ
Registered: Dec 2001
Posts: 11293 |
yep, thats exactly it. |
| |
Devia
Registered: Oct 2004
Posts: 401 |
looks polish to me |
| |
jailbird
Registered: Dec 2001
Posts: 1576 |
HTML ISO-8859-1 Reference
So a html_entity_decode would probably fix this. That's in case the special chars aren't intentionally encoded on the presentation layer in the first place. The text was probably encoded to prevent injections to the data access layer, right?
Perff? |
| |
Perff
Administrator
Posts: 1673 |
All text which come from user inputs undergo an html_entities before being displayed again. I guess this is pretty standard?
But this means that '&' is encoded to '&', and therefor stuff like “ isn't displayed af the unicode char but as "“".
If I simply added a html_entity_decode, this would negate the html_entities, and then people can really mess up the site with html-tags etc.
So, what to do? |
| |
chatGPZ
Registered: Dec 2001
Posts: 11293 |
filter all html tags from the input?
or better yet, do nothing and permban whoever messes around with it? =P
|
| |
jailbird
Registered: Dec 2001
Posts: 1576 |
htmlentities, strip_tags and mysql_real_escape_string/addslashes on the string before inserting into database.
- mysql_real_escape_string or addslashes to prevent SQL injection
- strip_tags to strip HTML/PHP tags
- htmlentities for the special chars
... and we're pretty much safe here, right?
Then, a html_entity_decode on the presentation layer. And we'll have international chars finally YEY \o/
I'm guessing that htmlentities is at most intended for mobility between different character encodings and to help presenting html/php code as rendered text on a html page. Still useful as a security layer, though.
Edit: oh, just recalled that CSDb is running on PostgreSQL. So pg_escape_string in this case |
| |
Perff
Administrator
Posts: 1673 |
The database layer is all taken care off, but thanks anyway. ;)
strip_tags? Hm. Isn't that perhaps a bit to much?
I'd still prefer htmlentities over strip_tags, because then things are displayed as they are written in the text-box (except for some special chars that are converted into unicode), and things arn't stripped down as they would with strip_tags. What if someone one day would like to write some example html in a post for some reason? :)
Hm.. Perhaps just some code to escape uni-code things from the evil htmlentities? Should be easy to make.
Edit: Oups.. Accidently made that already. :)
But then it's no longer possible to write "& # 1234" (remove the spaces) |
| |
booker
Registered: Jul 2003
Posts: 334 |
Quote: looks polish to me
Because it has been fixed now. Am I right?
Dziękuję Perff! |
| |
jailbird
Registered: Dec 2001
Posts: 1576 |
Quoting PerffThe database layer is all taken care off, but thanks anyway. ;)
Yeah thought so, just tried to be informative :)
A regular expression for escaping html tags except the code bbcode could also be a solution.
But I see it works perfectly now, you rule, Perff! :D
I could finally write down my name in cyrillic alphabet: Арнолд Чистаи \o/ |
| |
Hein
Registered: Apr 2004
Posts: 939 |
UTF-8 is not an option? :) |
| Previous - 1 | 2 | 3 | 4 | 5 - Next |
