Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2009-04-25 08:59:54

azw
Member
Registered: 2007-01-29
Posts: 279

How does TXP validate HTML form input? How should plugins validate it?

Hello,

When we write a plug in that uses the TXP functions, do we have to create specific code to validate the HTML form input data, or are there built-in functions we can hook into?

My code breaks the display with inputs like: ‘ <b> and <script>.

I’m betting there’s an easier, safer way!

Last edited by azw (2009-04-26 03:20:51)

Offline

#2 2009-04-25 09:54:23

grundgesetz
Plugin Author
From: Germany
Registered: 2009-04-17
Posts: 24

Re: How does TXP validate HTML form input? How should plugins validate it?

you could make use of the textile library perhaps?

//edit: sorry, didn´t get your point. forget my comment ;)

Last edited by grundgesetz (2009-04-26 13:32:08)

Offline

#3 2009-04-25 20:20:49

azw
Member
Registered: 2007-01-29
Posts: 279

Re: How does TXP validate HTML form input? How should plugins validate it?

Does Textile handle validation of form input? I hadn’t thought about that possibility.

I’ll have to take a look at what functions are used to filter search input. That seems to work well.

Offline

#4 2009-04-26 03:20:04

azw
Member
Registered: 2007-01-29
Posts: 279

Re: How does TXP validate HTML form input? How should plugins validate it?

My plugin is a revision of txp_link.php Interestingly, there is very little validation in txp_link.php (at least not that I see).

After you submit a new link, this is the processing that’s done:

function link_post()
	{
		global $txpcfg,$vars;
		$varray = gpsa($vars);

		extract(doSlash($varray));  <============== doSlash does mysql_real_escape_string

		if (!$linksort) $linksort = $linkname;

		$q = safe_insert("txp_link",
		   "category    = '$category',
			date        = now(),
			url         = '".trim($url)."',
			linkname    = '$linkname',
			linksort    = '$linksort',
			description = '$description'"
		);

		$GLOBALS['ID'] = mysql_insert_id( );

		if ($q)
		{
			//update lastmod due to link feeds
			update_lastmod();

			$message = gTxt('link_created', array('{name}' => $linkname));

			link_edit($message);
		}
	}

When this data is redisplayed, most of the fields have htmlspecialchars applied in the listing:

						td(
							htmlspecialchars($description)
						, 150).

In the table in which you can edit existing fields, htmlspecialchars us added via fInput.

Does TXP do anything else to validate input?
Does TXP simply assume that only friendly persons will add data and that they’ll never add bad input?

Last edited by azw (2009-04-26 06:13:31)

Offline

#5 2009-04-26 08:37:59

azw
Member
Registered: 2007-01-29
Posts: 279

Re: How does TXP validate HTML form input? How should plugins validate it?

I’ve been studying Textpattern to see how it handles validation. I don’t see any pattern validation or testing for illegal characters. Maybe that makes sense given the board userbase and many different needs of users.

TXP seems to use mysql_real_escape_string before adding input to the database and then use htmlspecialchars when displaying the data later. I don’t see anything else.

It appears that the incompatibility arises when I use:

$text = filter_var($text, FILTER_SANITIZE_STRING);

That stumped me because I didn’t think that FILTER_SANITIZE_STRING encoded ‘ and “, but apparently it does. Once they get encoded, Textpattern will show the code: ‘

That’s because the htmlspecialchars function translates the & and displays the underlying code rather than the ‘ glyph. So a name like O’Hara becomes O’Hara.

Well, at least I know what’s going on.

Any suggestions?

Perhaps TXP’s developers will want to consider using the filter_var functions in the future?

…..

For what it’s worth, I also found that typing: <code><script<code> into an input field in Textpattern also breaks the display, so it’s not just my script, it’s the way TXP works, too. The script never has a chance to replace the < or translate “script”. But I can at least stop processing with something like this:

if (preg_match("/<script/i", $text)) die("Prohibited input");

Offline

Board footer

Powered by FluxBB