-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
form_prep() strips backslashes (\) and keeps htmlentities unescaped. #2477
Comments
The first one is ... natural, I guess. The second is just not proper - the ampersand doesn't need escaping in a form field. |
Is there a specific problem you're having with the way |
Sorry, I can explain my problem with another example, when putting this string into form field using form_field() helper: I hope it is more clear now. |
Otherwise, if you don't want backslashes being stripped - then don't use |
Especially, there is a rule to prevent XSS:
What problems you'll have if the form_prep will convert htmlentities before placing it to the value attribute? |
To answer your second question - it's simply not necessary, the only thing that needs escaping in an input field are quotes, since they can break the page. |
No, I want the input string to be shown as is, but in html tag attribute it must be escaped securely to avoid breaking the tag. And if you say that quotes already escaped using replacement to HTML entities why not to escape other symbols as well? In my opinion What are your fears about this change? I can do pool request if you wish. |
Because, that may be what you want, but this doesn't mean it's what everybody wants. It should do what it is supposed to do - escape quotes, not less and not more. |
Btw, you do realise that you could just use |
Yes, I do. form_prep() is always called from form_input() helper, so I had to overload the function function form_prep($str = '', $is_textarea = FALSE)
{
if (is_array($str))
{
foreach (array_keys($str) as $key)
{
$str[$key] = form_prep($str[$key], $is_textarea);
}
return $str;
}
// This is how it works in core helper
// if ($is_textarea === TRUE)
// {
// return str_replace(array('<', '>'), array('<', '>'), stripslashes($str));
// }
// return str_replace(array("'", '"'), array(''', '"'), stripslashes($str));
return htmlspecialchars($str);
} I can go on with this solution, but for me the logic of form_prep() is not what it should be. I understand that it might be a surprise for those who was doing htmlspecialchars() by their own before posting it to the form_input() functions. But if this change will go to next major release, then users anyways have to check migration manual and do changes in their apps accordingly when they upgrade, right. |
After investigating this some more, I believe @Dumk0 is right. If I want to enter the literal text So ampersands should be encoded. There should be little concern for double encoding upon submission, since Upon testing the encoding of ampersands, however, there is a problem with double encoding when using Regarding |
I've never said that If you want to change what As for |
A case: You have a CKEditor attached to a textarea element created with form_textarea(). By using the editor you enter a HTML fragment, on saving this HTML is sanitized (allowed tags) and stored within a database field. Now let us edit the stored HTML fragment the same way with CKEditor. We take this fragment from the database field and put it as an argument of form_textarea(). As a result, an escaped HTML fragment will be inserted inside the textarea tag. And the editor will show garbage. Please, reconsider this change, form_prep() with the optional parameter $is_textarea was fine in this case. |
CKEditor is made to work with raw HTML fields, it doesn't care about And more importantly, we can't support every edge case, let alone third-party tools. |
I have made two test cases for form_prep() helper function which fail for me.
I guess the right way to process the form_prep() values is to convert all chars to entities and escape double quotes. Maybe You have also comments and/or solutions on this.
The text was updated successfully, but these errors were encountered: