Log inRegister an accountBrowse CSDbHelp & documentationFacts & StatisticsThe forumsAvailable RSS-feeds on CSDbSupport CSDb Commodore 64 Scene Database
You are not logged in - nap
CSDb User Forums


Forums > CSDb Bug Reports > quoting bug
2009-09-22 07:01
chatGPZ

Registered: Dec 2001
Posts: 11523
quoting bug

when i use quotes in a forum message this happens

"this is quoted"
 
... 34 posts hidden. Click here to view all posts....
 
2009-09-22 13:12
chatGPZ

Registered: Dec 2001
Posts: 11523
filter all html tags from the input?

or better yet, do nothing and permban whoever messes around with it? =P
2009-09-22 13:24
jailbird

Registered: Dec 2001
Posts: 1578
htmlentities, strip_tags and mysql_real_escape_string/addslashes on the string before inserting into database.

- mysql_real_escape_string or addslashes to prevent SQL injection
- strip_tags to strip HTML/PHP tags
- htmlentities for the special chars

... and we're pretty much safe here, right?

Then, a html_entity_decode on the presentation layer. And we'll have international chars finally YEY \o/

I'm guessing that htmlentities is at most intended for mobility between different character encodings and to help presenting html/php code as rendered text on a html page. Still useful as a security layer, though.

Edit: oh, just recalled that CSDb is running on PostgreSQL. So pg_escape_string in this case
2009-09-22 13:54
Perff
Administrator

Posts: 1686
The database layer is all taken care off, but thanks anyway. ;)

strip_tags? Hm. Isn't that perhaps a bit to much?
I'd still prefer htmlentities over strip_tags, because then things are displayed as they are written in the text-box (except for some special chars that are converted into unicode), and things arn't stripped down as they would with strip_tags. What if someone one day would like to write some example html in a post for some reason? :)

Hm.. Perhaps just some code to escape uni-code things from the evil htmlentities? Should be easy to make.

Edit: Oups.. Accidently made that already. :)
But then it's no longer possible to write "& # 1234" (remove the spaces)
2009-09-22 14:10
booker
Account closed

Registered: Jul 2003
Posts: 334
Quote: looks polish to me

Because it has been fixed now. Am I right?

Dziękuję Perff!
2009-09-22 14:45
jailbird

Registered: Dec 2001
Posts: 1578
Quoting Perff
The database layer is all taken care off, but thanks anyway. ;)

Yeah thought so, just tried to be informative :)

A regular expression for escaping html tags except the code bbcode could also be a solution.

But I see it works perfectly now, you rule, Perff! :D

I could finally write down my name in cyrillic alphabet: Арнолд Чистаи \o/
2009-09-22 19:00
Hein

Registered: Apr 2004
Posts: 965
UTF-8 is not an option? :)
2009-09-22 19:31
Perff
Administrator

Posts: 1686
Damn you!! ;)

As I thought I havn't fixed all places - yet.. But just wait.
Every time you mess something up like this, I'll have to find the missing fix - and fix it!
So I'll have to go to work now.. :)
2009-09-22 19:35
Hein

Registered: Apr 2004
Posts: 965
Okok, I won't, so you can enjoy your spare time.
2009-09-22 19:38
Perff
Administrator

Posts: 1686
Ok.

Now I've fixed some of it..

But unless you guys experiment and mess up CSDb, I'll never find the missing places, so don't be shy. :)
2009-09-22 20:00
Hein

Registered: Apr 2004
Posts: 965
Personally I think it's easier to set the HTML to UTF-8, and let the browser do the work. Then you don't need to do your fixes.
Previous - 1 | 2 | 3 | 4 | 5 - Next
RefreshSubscribe to this thread:

You need to be logged in to post in the forum.

Search the forum:
Search   for   in  
All times are CET.
Search CSDb
Advanced
Users Online
Stone/Prosonix
rambo/Therapy/ Resou..
MCM/ONSLAUGHT
eryngi
Krill/Plush
kbs/Pht/Lxt
Guests online: 140
Top Demos
1 Next Level  (9.7)
2 13:37  (9.7)
3 Codeboys & Endians  (9.7)
4 Mojo  (9.6)
5 Coma Light 13  (9.6)
6 Edge of Disgrace  (9.6)
7 Signal Carnival  (9.6)
8 Wonderland XIV  (9.5)
9 Uncensored  (9.5)
10 Comaland 100%  (9.5)
Top onefile Demos
1 Nine  (9.7)
2 Layers  (9.6)
3 Cubic Dream  (9.6)
4 Party Elk 2  (9.6)
5 Copper Booze  (9.5)
6 Scan and Spin  (9.5)
7 Onscreen 5k  (9.5)
8 Grey  (9.5)
9 Dawnfall V1.1  (9.5)
10 Rainbow Connection  (9.5)
Top Groups
1 Artline Designs  (9.3)
2 Booze Design  (9.3)
3 Oxyron  (9.3)
4 Performers  (9.3)
5 Censor Design  (9.3)
Top Cover Designers
1 Duce  (9.8)
2 Electric  (9.8)
3 Junkie  (9.6)
4 The Elegance  (9.5)
5 Mermaid  (9.3)

Home - Disclaimer
Copyright © No Name 2001-2025
Page generated in: 0.045 sec.