I am having trouble with my Photo Labels getting messed up by htmlentities().
On my website, I have this code...
PHP Code:
title='" . str2htmlentities($photoLabel) . "' />
...so that if you hover over a Member's Photo you can see an additional caption like this...
Quote:
Debbie's brand new car!!
The problem is that htmlentities() is changing things to this...
Quote:
Debbie & #039 ; s brand new car!!
(I've added spaces so it doesn't converted by this website.)
Obviously I can't control when a Member *legitimately* wants to add something like an Apostrophe to their Photo Label, and it looks broken - at best - to see all that unicode or whatever in the display?!
Is there a way to protect against XSS attacks and yet not muck up the Photo Labels??
Is there a way to protect against XSS attacks and yet not muck up the Photo Labels??
Use strip_tags() which will remove any html / javascript tags and don't use htmlentities() on the mouseover.
htmlentities() is used for displaying characters in a webpage that would otherwise be understood as html source code by the browser. Your mouseover box that the browser displays is not part of a webpage but a windows control - part of the windows control set available to all programs. Despite being on a mac, I suspect apple use a similar method, especially since Bill once had dealings with them. The mouseover box control therefore works differently and doesn't need any htmlentities() use because its just a normal display component not a TWebBrowser VCL.
//Please don't use this for your form processing:
if (isset($_POST['submit']))
//Internet explorer has a bug and does not always send the submit value.
Use strip_tags() which will remove any html / javascript tags and don't use htmlentities() on the mouseover.
htmlentities() is used for displaying characters in a webpage that would otherwise be understood as html source code by the browser. Your mouseover box that the browser displays is not part of a webpage but a windows control - part of the windows control set available to all programs. Despite being on a mac, I suspect apple use a similar method, especially since Bill once had dealings with them. The mouseover box control therefore works differently and doesn't need any htmlentities() use because its just a normal display component not a TWebBrowser VCL.
Compelling response, but it chops off everything after the apostrophe?!
Thats probably going to need escaping in the output then.
Debbie's brand new car!!
would become
Debbie\'s brand new car!!
Just as you would escape an apostrophe in php, you sometimes need to do it in javascript and in html titles so that the browser can parse the source correctly. You can use addslashes() for that before printing the title into the page.
//Please don't use this for your form processing:
if (isset($_POST['submit']))
//Internet explorer has a bug and does not always send the submit value.
While the variable names are slightly different, all of these Photos and Photo Labels are coming from the *same* Fields and Records in the Database, so they should look identical across pages unless my code was different, which is does not appear to be?!
Any idea why things seem to be working on my Profile Page, but are broken on my Article/Member Comments Page??
//Please don't use this for your form processing:
if (isset($_POST['submit']))
//Internet explorer has a bug and does not always send the submit value.
A PITA. I've been struggling to get port forwarding working properly for use with a SMTP server I've been working on. I think I'll go with a linksys or D-Link router in the future.. Not impressed with Edimax.
Still, got there eventually.. and I can add some more features to my SMTP server I can now send emails to php scripts where they can be processed instantly (no cron or piping needed)
//Please don't use this for your form processing:
if (isset($_POST['submit']))
//Internet explorer has a bug and does not always send the submit value.
MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)
//Please don't use this for your form processing:
if (isset($_POST['submit']))
//Internet explorer has a bug and does not always send the submit value.
linksys/cisco is on the ball, and netgear, for budget brands TP-Link stuff is actually much better than it ought to be, I am not a fan of d-link but many are.
MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)
Hmm, I had a wifi adapter for a laptop years ago made by netgear but sold under a budget name, it was crap (by that I mean it simply didn't work - could barely scan and never connect). Went and got a D-Link and it worked straight out of the box with minimal fuss so I was pretty impressed with that. I've never had any trouble with it either although that laptop is now dead and I use a netbook so it's redundant and these days they all have it built in..
I have an old cisco router thing sat in the shed that I've never used.. came from someone on freecycle. It's big, long, flat.. I suppose I should look at it one day and see what it actually does. I remember looking at it a while back and thinking it looked a lot more complex than a normal router.. Maybe I should look for a linksys..
//Please don't use this for your form processing:
if (isset($_POST['submit']))
//Internet explorer has a bug and does not always send the submit value.
Before you post, read our: 
I can now send emails to php scripts where they can be processed instantly (no cron or piping needed) 
