Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 13 of 13
  1. #1
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,048
    Thanks
    25
    Thanked 0 Times in 0 Posts

    Problem with Photo Labels

    I am having trouble with my Photo Labels getting messed up by htmlentities().

    On my website, I have this code...

    PHP Code:
    title='" . str2htmlentities($photoLabel) . "' /> 
    ...so that if you hover over a Member's Photo you can see an additional caption like this...

    Debbie's brand new car!!

    The problem is that htmlentities() is changing things to this...

    Debbie & #039 ; s brand new car!!
    (I've added spaces so it doesn't converted by this website.)


    Obviously I can't control when a Member *legitimately* wants to add something like an Apostrophe to their Photo Label, and it looks broken - at best - to see all that unicode or whatever in the display?!


    Is there a way to protect against XSS attacks and yet not muck up the Photo Labels??

    Thanks,


    Debbie

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,281
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    Quote Originally Posted by doubledee View Post
    Is there a way to protect against XSS attacks and yet not muck up the Photo Labels??
    Use strip_tags() which will remove any html / javascript tags and don't use htmlentities() on the mouseover.

    htmlentities() is used for displaying characters in a webpage that would otherwise be understood as html source code by the browser. Your mouseover box that the browser displays is not part of a webpage but a windows control - part of the windows control set available to all programs. Despite being on a mac, I suspect apple use a similar method, especially since Bill once had dealings with them. The mouseover box control therefore works differently and doesn't need any htmlentities() use because its just a normal display component not a TWebBrowser VCL.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #3
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,048
    Thanks
    25
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by tangoforce View Post
    Use strip_tags() which will remove any html / javascript tags and don't use htmlentities() on the mouseover.

    htmlentities() is used for displaying characters in a webpage that would otherwise be understood as html source code by the browser. Your mouseover box that the browser displays is not part of a webpage but a windows control - part of the windows control set available to all programs. Despite being on a mac, I suspect apple use a similar method, especially since Bill once had dealings with them. The mouseover box control therefore works differently and doesn't need any htmlentities() use because its just a normal display component not a TWebBrowser VCL.
    Compelling response, but it chops off everything after the apostrophe?!

    From...

    Debbie's New Car

    To...
    Debbie


    Debbie

  • #4
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,281
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    Thats probably going to need escaping in the output then.

    Debbie's brand new car!!

    would become

    Debbie\'s brand new car!!

    Just as you would escape an apostrophe in php, you sometimes need to do it in javascript and in html titles so that the browser can parse the source correctly. You can use addslashes() for that before printing the title into the page.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #5
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,048
    Thanks
    25
    Thanked 0 Times in 0 Posts
    After looking at things a little closer, I have found some really STRANGE behavior I cannot explain...

    If I go into the Member's Profile page, there is a photo of the logged in Member, plus a listing of the Member's Friends.

    If I hover over any of those photos, I see things like this...

    Pam's Red Gradient
    Sam's Spiral GIF

    And here is a code snippet for "profile.php"

    PHP Code:
        "<img src='/uploads/"
            
    validatePhoto($topPhoto$topPhotoApproved) .
            
    "' width='60' alt='Thumbnail of "
            
    $topUsername .
            
    "' title='"
            
    str2htmlentities($topPhotoLabel) .
        
    "' /> 


    Now, if I go into one of the Article pages, at the bottom is a series of Member Comments, and next to each is the Member's Photo.

    If I hover over any of those photos, I see things like this...

    Pam & #039 ;s Red Gradient
    Sam & #039 ;s Spiral GIF

    And here is a code snippet for "article.php"

    PHP Code:
        <img class='noborder' src='/uploads/"
        . validatePhoto($photoName, $photoApproved) .
        "' 
    width='100'
        
    alt='Photo of " . $username . "'
        
    title='" . str2htmlentities($photoLabel) . "' /> 

    While the variable names are slightly different, all of these Photos and Photo Labels are coming from the *same* Fields and Records in the Database, so they should look identical across pages unless my code was different, which is does not appear to be?!


    Any idea why things seem to be working on my Profile Page, but are broken on my Article/Member Comments Page??

    Thanks,


    Debbie

  • #6
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,048
    Thanks
    25
    Thanked 0 Times in 0 Posts
    Looks like this line in "article.php" was causing the confusion...

    PHP Code:
        // Set Photo Label.
        
    $photoLabel = (!empty($photoLabel) ? str2htmlentities($photoLabel) : str2htmlentities($username)); 
    Oops!!!


    Debbie

  • #7
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,281
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    Glad you got it working

    Don't suppose you feel like fixing my edimax routers port forwarding?
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #8
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,048
    Thanks
    25
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by tangoforce View Post
    Glad you got it working

    Don't suppose you feel like fixing my edimax routers port forwarding?
    If I knew what those were, I might?!


    Debbie

  • #9
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,281
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    Quote Originally Posted by doubledee View Post
    If I knew what those were, I might?!
    A PITA. I've been struggling to get port forwarding working properly for use with a SMTP server I've been working on. I think I'll go with a linksys or D-Link router in the future.. Not impressed with Edimax.

    Still, got there eventually.. and I can add some more features to my SMTP server I can now send emails to php scripts where they can be processed instantly (no cron or piping needed)
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #10
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    Quote Originally Posted by tangoforce View Post
    . Not impressed with Edimax.
    yup, buying an edimax is a crime which ironically is also the punishment
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #11
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,281
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    Lol, so what would you recommend as a solid router?
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #12
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    linksys/cisco is on the ball, and netgear, for budget brands TP-Link stuff is actually much better than it ought to be, I am not a fan of d-link but many are.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #13
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,281
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    Hmm, I had a wifi adapter for a laptop years ago made by netgear but sold under a budget name, it was crap (by that I mean it simply didn't work - could barely scan and never connect). Went and got a D-Link and it worked straight out of the box with minimal fuss so I was pretty impressed with that. I've never had any trouble with it either although that laptop is now dead and I use a netbook so it's redundant and these days they all have it built in..

    I have an old cisco router thing sat in the shed that I've never used.. came from someone on freecycle. It's big, long, flat.. I suppose I should look at it one day and see what it actually does. I remember looking at it a while back and thinking it looked a lot more complex than a normal router.. Maybe I should look for a linksys..
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •