safe_htmlentities()

edited February 2011 in Bug Reports
I'm having some issues with safe_htmlentities(). Judging by your notes in the function you know what I'm talking about: re-encoding the entitie's ampersand.

The server my site is on is using PHP 5.1.6. On which htmlentities() only accepts 3 parameters. That seems to be the main issue.

I'm going to try to get the PHP version updated. Are there any solutions until that happens or if the host won't do it?

Comments

  • edited 4:11PM
    Might the PHP version stop the MarkItUp image browser from displaying any data?
  • edited 4:11PM
    I'll look into the htmlentities issue to see if there is a fix I can make to that function. With regards to the MarkItUp image browser, the PHP version shouldn't cause any problems that I know of. What are you experiencing (e.g. an empty dropdown list of images, no images previewing...etc)?
  • edited 4:11PM
    An empty dropdown list.

    Works locally and on my server. Nothing on the client's server, though.
  • edited 4:11PM
    What kind of server is it? Is it perhaps a windows box? Also, make sure to make the folders writable or they won't show up.
  • edited 4:11PM
    With regards to the htmlentities, I've been looking at it a little closer and I discovered a couple issues with it in which I think I have some fixes for locally and will include them in the upcoming 0.92 branch release that will hopefully be pretty soon. In particular, your issue with re-encoding the ampersand.
  • edited 4:11PM
    The server is a Linux box and the folders are, indeed, writable.

    Looking forward to the htmlentities fix. :)
  • edited 4:11PM
    With the safe_htmlentities issue, I think there are actually 2 things that are going on. First, the Form::prep() method wasn't properly encoding those values for when they are being displayed in the form fields. The send part was that they are getting set to be translattd by the model because of the auto_encode_entities property being set to TRUE by default (you can set it to only encode on certain columns):
    http://www.getfuelcms.com/user_guide/libraries/my_model

    I've pasted those changes below if you want to make them locally, so you don't have to wait (and can test out too on your end :-):

    In the fuel/application/Form.php class, replace the prep() method with the following:
    public static function prep($str, $double_encode = TRUE) { $str = (string) $str; if ($double_encode) { $str = htmlspecialchars($str, ENT_QUOTES, 'UTF-8'); } // Do not encode existing HTML entities // From PHP 5.2.3 this functionality is built-in, otherwise use a regex if (version_compare(PHP_VERSION, '5.2.3', '>=')) { $str = htmlspecialchars($str, ENT_QUOTES, 'UTF-8', FALSE); } else { $str = preg_replace('/&(?!(?:#\d++|[a-z]++);)/ui', '&amp;', $str); $str = str_replace(array('<', '>', '\'', '"'), array('&lt;', '&gt;', '&#39;', '&quot;'), $str); } return $str; }

    In the MY_string_helper functions, replace safe_htmlentities with the following:
    function safe_htmlentities($str, $protect_amp = TRUE) { // convert all hex single quotes to numeric ... // this was due to an issue we saw with htmlentities still encoding it's ampersand again'... // but was inconsistent across different environments and versions... not sure the issue // may need to look into other hex characters $str = str_replace('&#x27;', '&#39;', $str); // setup temp markers for existing encoded tag brackets existing $find = array('&lt;','&gt;'); $replace = array('__TEMP_LT__','__TEMP_GT__'); $str = str_replace($find,$replace, $str); // encode just & if ($protect_amp) { $str = preg_replace('/&(?![a-z#]+;)/i', '__TEMP_AMP__', $str); } // safely translate now if (version_compare(PHP_VERSION, '5.2.3', '>=')) { $str = htmlspecialchars($str, ENT_NOQUOTES, 'UTF-8', FALSE); } else { $str = preg_replace('/&(?!(?:#\d++|[a-z]++);)/ui', '&amp;', $str); $str = str_replace(array('<', '>'), array('&lt;', '&gt;'), $str); } // translate everything back $str = str_replace($find, array('<','>'), $str); $str = str_replace($replace, $find, $str); if ($protect_amp) { $str = str_replace('__TEMP_AMP__', '&', $str); } return $str; }
  • edited 4:11PM
    With regards to the image preview issue, could you echo out the $assets_path value on line 66 of the fuel/modules/fuel/models/assets_model.php to see what the value is there?
  • edited 4:11PM
    I've got:
    /vservers/migrationbre/htdocs/assets/images/

    Which is correct (I was wondering if it was a path issue, myself).

    Folder and file permissions are set to 777.
  • edited 4:11PM
    Is there anything being returned by the next line with the call to the get_dir_file_info()? And then further down, if anything is being returned in the $return array?

    Also, if you have IRC, I'm at irc.freenode.net in the fuelcms room (first time doing this for FUEL... so hopefully it works).
  • edited 4:11PM
    I got a large array for:

    $tmpfiles
    $files

    But $return is empty. Which, obviously, is the problem.

    Also, I am in the IRC room. Connected just fine with Colloquy but Adium wouldn't find it.
  • edited 4:11PM
    $return is empty after:

    $return = array_slice($return, $offset, $limit);

    $offset = 0
    $limit is not set
  • edited 4:11PM
    For others, there seems to be an issue with array_slice on line 102 with an empty $limit value. The solution was to change it to this:
    $return = (empty($limit)) ? array_slice($return, $offset) : array_slice($return, $offset, $limit);

    Seems to be an issue with php 5.16
    http://stackoverflow.com/questions/4321416/php-array-slice-null-length-results-in-empty-array
  • edited 4:11PM
    I came across this thread when looking into an issue with displaying double quotes in a normal input field. In the prep function, shouldn't the correct line be:

    $str = htmlspecialchars($str, ENT_QUOTES, 'UTF-8', FALSE);

    This will then correctly escape quotes and allow editing of those fields.
  • edited 4:11PM
    Which line are you referring too?
  • edited 4:11PM
    In the fuel/application/libraries/Form.php, line 431
  • edited 4:11PM
    $double_encode (not double quotes) is the 4th parameter and by default is set to TRUE for the htmlspecialchars function. That parameter is the second parameter in the prep() method.
  • edited 4:11PM
    This function does not properly escape/prepare text containing double quotes for editing in a standard input element of a form.

    public static function prep($str, $double_encode = TRUE) { $str = (string) $str; if ($double_encode) { $str = htmlspecialchars($str, ENT_NOQUOTES, 'UTF-8'); } // Do not encode existing HTML entities // From PHP 5.2.3 this functionality is built-in, otherwise use a regex if (version_compare(PHP_VERSION, '5.2.3', '>=')) { $str = htmlspecialchars($str, ENT_NOQUOTES, 'UTF-8', FALSE); } else { $str = preg_replace('/&(?!(?:#\d++|[a-z]++);)/ui', '&amp;', $str); //$str = str_replace(array('<', '>', '\'', '"'), array('&lt;', '&gt;', '&#39;', '&quot;'), $str); $str = str_replace(array('<', '>'), array('&lt;', '&gt;'), $str); } return $str; }

    I was able to make this work by changing ENT_NOQUOTES to ENT_QUOTES.
  • edited 4:11PM
    That appears to be from an older version. That function has been changed already in the master branch.
Sign In or Register to comment.