In-Portal Issue Tracker

Welcome to the In-Portal Open Source CMS Issue Tracker! This is a central management / tracking tool for all types of tasks / issues / bugs for the In-Portal Project. Before reporting any issues, please make sure to read the Guide into Issue Tracker and How to Properly Test and Report Bugs!
Main | My View | View Issues | Change Log | Roadmap | Docs | Wiki | Repositories
  

Dependency Graph View Issue ] Relation Graph ] Vertical ]
related to child of duplicate of

Viewing Issue Simple Details
ID Category Type Reproducibility Date Submitted Last Update
0001437 [In-Portal CMS] Front End bug report always 2012-11-05 11:31 2012-11-05 11:31
Reporter alex View Status public  
Assigned To
Priority normal Resolution open  
Status active      
Summary 0001437: Prevent force-escaping of data on Front-End
Description Preface:
In-Portal apply "htmlspecialchars" function on all input that comes from Front-End user.

This is good, but when submitted link name is "good & bad", then it will become "good & bad" in database and produce "/category/good-amp-bad.html" url. Both "&" and ";" are restricted symbols and are stripped from url, but "amp" stays.


Solution:
1. kHTTPQuery class - don't automatically encode all input that comes from Front-End
2. Front-End template - find every use of inp2: tag, that is glued into HTML markup (e.g. <input value="_INP_TAG_HERE_"/>) and add html_escape="1" to prevent " or ' from breaking down HTML tag
3. Scan all text fields in database and do htmlspecialchars_decode function on them no matter what's inside. I suppose that function is clever enough to keep existing field value if nothing needs to be replaced.
Additional Information

Main | My View | View Issues | Change Log | Roadmap | Docs | Wiki | Repositories
  

Web Development by Intechnic
In-Portal Open Source CMS
In-Portal Open Source CMS
Copyright © 2000 - 2009 MantisBT Group

Powered by Mantis Bugtracker