[pmwiki-users] Foxedit and special characters

James DeVain jamesdevain at mail.com
Mon Jan 19 15:00:03 CST 2009


> foxedit.php uses
> htmlspecialchars($text,ENT_NOQUOTES)
> on input text for preventing user-supplied text from containing HTML
> markup, such as in a forum or commentbox application.
> What you propose to do will remove this security measure.

Sorry, I should have mentioned that HTML is fully enabled on my pmwiki
installation. I don't use it as an open wiki. On forms which do allow
anonymous users to post, I apply a fox filter that strips HTML and
page directives.

To be clear, it is not actually converting "<" to "&lt;" upon submission,
but simply *displaying* "<" as "&lt;" when viewed in foxedit mode. When I
open the page in normal edit mode, "<" remains as "<".

I don't really understand, though, why foxedit would need to disallow
posting of HTML characters. I assumed that, unless HTML was enabled in
config.php (like it is on mine), then pmwiki simply would not process any
codes as HTML...

> What browser do you use? I suspect some browser setting perhaps will
> not decode the HTML characters in a textarea, but will show them
> plain.

It behaves this way in FF, IE, and Chrome. I use all three.

In any case, if the line ...htmlspecialchars($text,ENT_NOQUOTES)); is
only there to prevent the posting of HTML, then I guess it's no big deal
for me to change it. I just wanted to make sure it wasn't going to cause
any other problems.

Thanks







> > Hans (or anyone else who might know), I wanted foxedit's edit form to
> > not display character codes instead of HTML characters (for example,
> > it would display "<" as "<"). I couldn't figure out a way to change
> > it in my config file, so I just changed foxedit.php, line 84, from:
> > 
> > ...('$','$',htmlspecialchars($text,ENT_NOQUOTES));
> > 
> > to:
> > 
> > ...('$','$',htmlspecialchars_decode($text,ENT_NOQUOTES));
> >
> > Do you see any problem with this? Or is there a better way to handle it?

> foxedit.php uses
> htmlspecialchars($text,ENT_NOQUOTES)
> on input text for preventing user-supplied text from containing HTML
> markup, such as in a forum or commentbox application.
> What you propose to do will remove this security measure.
> 
> In my working with foxedit i do not see HTML character codes
> displayed in a wiki page or in a textarea form called by foxedit.
> I can see it only by looking at the HTML page source.
> 
> not sure why it will show in your edit area as HTML code.
> What browser do you use? I suspect some browser setting perhaps will
> not decode the HTML characters in a textarea, but will show them
> plain.
> I use Firefox in general.
> 
> 
> ~Hans
>

-- 
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com




More information about the pmwiki-users mailing list