In-Portal Issue Tracker - In-Portal CMS
Viewing Issue Advanced Details
1437 [In-Portal CMS] Front End bug report always 2012-11-05 11:31 2012-11-05 11:31
active 5.1.0  
Fixes forced-escaping of front-end input
0001437: Prevent force-escaping of data on Front-End
In-Portal apply "htmlspecialchars" function on all input that comes from Front-End user.

This is good, but when submitted link name is "good & bad", then it will become "good & bad" in database and produce "/category/good-amp-bad.html" url. Both "&" and ";" are restricted symbols and are stripped from url, but "amp" stays.

1. kHTTPQuery class - don't automatically encode all input that comes from Front-End
2. Front-End template - find every use of inp2: tag, that is glued into HTML markup (e.g. <input value="_INP_TAG_HERE_"/>) and add html_escape="1" to prevent " or ' from breaking down HTML tag
3. Scan all text fields in database and do htmlspecialchars_decode function on them no matter what's inside. I suppose that function is clever enough to keep existing field value if nothing needs to be replaced.
Issue History
2012-11-05 11:31 alex New Issue
2012-11-05 11:31 alex Reference =>
2012-11-05 11:31 alex Change Log Message => Fixes forced-escaping of front-end input
2012-11-05 11:31 alex Estimate Points => 2

There are no notes attached to this issue.