| |
chatGPZ
Registered: Dec 2001
Posts: 11293 |
quoting bug
when i use quotes in a forum message this happens
"this is quoted"
|
|
... 34 posts hidden. Click here to view all posts....
|
| |
chatGPZ
Registered: Dec 2001
Posts: 11293 |
filter all html tags from the input?
or better yet, do nothing and permban whoever messes around with it? =P
|
| |
jailbird
Registered: Dec 2001
Posts: 1576 |
htmlentities, strip_tags and mysql_real_escape_string/addslashes on the string before inserting into database.
- mysql_real_escape_string or addslashes to prevent SQL injection
- strip_tags to strip HTML/PHP tags
- htmlentities for the special chars
... and we're pretty much safe here, right?
Then, a html_entity_decode on the presentation layer. And we'll have international chars finally YEY \o/
I'm guessing that htmlentities is at most intended for mobility between different character encodings and to help presenting html/php code as rendered text on a html page. Still useful as a security layer, though.
Edit: oh, just recalled that CSDb is running on PostgreSQL. So pg_escape_string in this case |
| |
Perff
Administrator
Posts: 1673 |
The database layer is all taken care off, but thanks anyway. ;)
strip_tags? Hm. Isn't that perhaps a bit to much?
I'd still prefer htmlentities over strip_tags, because then things are displayed as they are written in the text-box (except for some special chars that are converted into unicode), and things arn't stripped down as they would with strip_tags. What if someone one day would like to write some example html in a post for some reason? :)
Hm.. Perhaps just some code to escape uni-code things from the evil htmlentities? Should be easy to make.
Edit: Oups.. Accidently made that already. :)
But then it's no longer possible to write "& # 1234" (remove the spaces) |
| |
booker
Registered: Jul 2003
Posts: 334 |
Quote: looks polish to me
Because it has been fixed now. Am I right?
Dziękuję Perff! |
| |
jailbird
Registered: Dec 2001
Posts: 1576 |
Quoting PerffThe database layer is all taken care off, but thanks anyway. ;)
Yeah thought so, just tried to be informative :)
A regular expression for escaping html tags except the code bbcode could also be a solution.
But I see it works perfectly now, you rule, Perff! :D
I could finally write down my name in cyrillic alphabet: Арнолд Чистаи \o/ |
| |
Hein
Registered: Apr 2004
Posts: 939 |
UTF-8 is not an option? :) |
| |
Perff
Administrator
Posts: 1673 |
Damn you!! ;)
As I thought I havn't fixed all places - yet.. But just wait.
Every time you mess something up like this, I'll have to find the missing fix - and fix it!
So I'll have to go to work now.. :) |
| |
Hein
Registered: Apr 2004
Posts: 939 |
Okok, I won't, so you can enjoy your spare time. |
| |
Perff
Administrator
Posts: 1673 |
Ok.
Now I've fixed some of it..
But unless you guys experiment and mess up CSDb, I'll never find the missing places, so don't be shy. :) |
| |
Hein
Registered: Apr 2004
Posts: 939 |
Personally I think it's easier to set the HTML to UTF-8, and let the browser do the work. Then you don't need to do your fixes. |
| Previous - 1 | 2 | 3 | 4 | 5 - Next |
