In-Portal Issue Tracker - In-Portal CMS
|
|||||
Viewing Issue Advanced Details | |||||
|
|||||
ID: | Category: | Type: | Reproducibility: | Date Submitted: | Last Update: |
1437 | [In-Portal CMS] Front End | bug report | always | 2012-11-05 11:31 | 2012-11-05 11:31 |
|
|||||
Reporter: | alex | Platform: | |||
Assigned To: | OS: | ||||
Priority: | normal | OS Version: | |||
Status: | active | Product Version: | 5.1.0 | ||
Product Build: | Resolution: | open | |||
ETA: | none | Fixed in Version: | |||
Reference: | https://groups.google.com/d/topic/in-portal-bugs/Xp1w4_As7hw/discussion | ||||
Change Log Message: | Fixes forced-escaping of front-end input | ||||
Estimate Points: | 2 | ||||
|
|||||
Summary: | 0001437: Prevent force-escaping of data on Front-End | ||||
Description: |
Preface: In-Portal apply "htmlspecialchars" function on all input that comes from Front-End user. This is good, but when submitted link name is "good & bad", then it will become "good & bad" in database and produce "/category/good-amp-bad.html" url. Both "&" and ";" are restricted symbols and are stripped from url, but "amp" stays. Solution: 1. kHTTPQuery class - don't automatically encode all input that comes from Front-End 2. Front-End template - find every use of inp2: tag, that is glued into HTML markup (e.g. <input value="_INP_TAG_HERE_"/>) and add html_escape="1" to prevent " or ' from breaking down HTML tag 3. Scan all text fields in database and do htmlspecialchars_decode function on them no matter what's inside. I suppose that function is clever enough to keep existing field value if nothing needs to be replaced. |
||||
Steps To Reproduce: | |||||
Additional Information: | |||||
Relationships | |||||
Attached Files: | |||||
|
|||||
Issue History | |||||
Date Modified | Username | Field | Change | ||
2012-11-05 11:31 | alex | New Issue | |||
2012-11-05 11:31 | alex | Reference | => https://groups.google.com/d/topic/in-portal-bugs/Xp1w4_As7hw/discussion | ||
2012-11-05 11:31 | alex | Change Log Message | => Fixes forced-escaping of front-end input | ||
2012-11-05 11:31 | alex | Estimate Points | => 2 |
There are no notes attached to this issue. |