Slash fix #180
Slash fix #180
Conversation
|
Since the switch to parameterized queries, I think we're able to drop the string manipulation (of this sort) before saving to the database. I think this brings up a larger decision though... What do you guys think about switching to strip_tags before saving and htmlspecialchars before displaying anything users have entered? (Rather than trying to manually handle this everywhere.) |
|
Actually, htmlawed is already included. Maybe we should use that instead of strip_tags. |
|
Probably a good idea, but I dont know efficient htmlawed is would that run a risk of effecting performance? |
|
Using the defaults, it processed some random HTML in: |
|
They've updated the htmlawed several times and we are still using the old version. We need to update that too. |
|
@david62311 Didn't notice that. I'll update. I'll give it a go and report back |
|
It does, well I guess going with htmlawed seems like the sensible choice |
|
Well, the results are promising. It's now storing stuff in the db in raw form (which is good!). Just have to make sure htmlspecialchars is used when it's output for viewing and not used when output as a value in a textbox or something. I left cleanvars but modified it to clean HTML using htmLawed (and removed the encoding bit)...then removed uncleanvars since we won't need to do that anymore. Will submit PR when I'm done testing. |
|
sounds good. |
|
This might be nailed down now. #183 addresses this and a few other things. |
prevents the \ character from being generated