I have the following example of what a user might type into a field for a post name:
<h1><span>They're awesome people</span></h1>
Now because this is a post title I want to remove all that HTML completely before saving it to the database. This is because for a) security reasons and b) if I export this as JSON I don't want to be cleaning up HTML on output for 3rd party users.
I have tried the following in my model:
public function beforeSave() {
if (isset($this->data[$this->alias]['title']))
{
//$this->data[$this->alias]['title'] = Sanitize::clean($this->data[$this->alias]['title'], array('encode'=>true,'remove_html'=>true));
$this->data[$this->alias]['title'] = html_entity_decode(Sanitize::html($this->data[$this->alias]['title'], array('remove'=>true)));
}
return true;
}
As you can see I have tried both Clean and HTML from the Sanitize class to clean out the HTML but both cause a problem in that they escape the quote from they're making it like '. I have tried using the html_entity_decode around the sanitize to clean this up but it still happens. Any ideas on how to do this?
If I do this though:
echo html_entity_decode('They're awesome people');
it works fine so the function is fine, it's a problem with using it in conjunction with the sanitize class in CakePHP.
Thanks
Why not use
Sanitize::paranoid()
Manual
Or even strip_tags
To make Sanitize::html work
Sanitize::html($var, array('remove'=>true, 'quotes' => ENT_NOQUOTES));
it uses htmlentities internaly and default flag is set to ENT_QUOTES.
You should try htmlspecialchars_decode() function.
Edit:
Using only PHP function instead CakePHP library, you can try strip_tags().
Related
I just try to use Codeigniter escape_str function it's working good, but when i try to get data and show in front side then some extra code showing. any way for replace those all extra symbol.
This is the function
$content = $this->db->escape_str($content);
I'm trying to input below data from HTML texarea
Hello all how are you?
I'm from cox's bazar. see you again.
but when i try to echo it then i'm getting like this
Hello all how are you?\r\n\r\nI\'m from cox\'s bazar. see you again.
It should return same as my input. please help me for solve this issue. Thanks
You can use the html_escape() CodeIgniter function:
http://www.codeigniter.com/user_guide/general/common_functions.html?highlight=html_escape#html_escape
I have built a custom CMS. Recently, I added the ability to create pages dynamically. I used CKEditor for the content of these pages.
I would also like to run some php functions that may be included in the content of the page stored in mysql.
I DO NOT want to store actual PHP code in the database, but rather function names perhaps. For example, in a page stored in the database I may have.
<?php //begin output
hello world!
check out this latest news article.
news($type, $id);
//end output
?>
What is the best way to find and execute this existing function without using EVAL if its found in the output? I was thinking along the lines of wordpress style short codes. Maybe [[news(latest, 71]] ? Then have a function to find and execute these functions if they exist in my functions.php file. Not really sure the best way to go about this.
I'm not searching for any code answers, but more of a best practice for this type of scenario, especially one that is safest against possible injections.
I found a solution from digging around and finding this thread
How to create a Wordpress shortcode-style function in PHP
I am able to pass short codes like this in CKEditor
[[utube 1 video_id]]
Then, in my page that renders the code:
print shortcodify($page_content);
using this function:
function shortcodify($string){
return preg_replace_callback('#\[\[(.*?)\]\]#', function ($matches) {
$whitespace_explode = explode(" ", $matches[1]);
$fnName = array_shift($whitespace_explode);
return function_exists($fnName) ? call_user_func_array($fnName,$whitespace_explode) : $matches[0];
}, $string);
}
If the function name exist (utube) it will fire the function.
Only problem Im having at the moment is not matter where I place the [[shortcode]] in my editor, it always executes first.
For example, in CKEditor I put:
Hello world! Check out my latest video
[[utube 1 video_id]]
It will always put the text under the video instead of where it is in the document. I need to figure a way to have the short code execute in the order it is placed.
I am writing import script from csv files and I need to validate data, most of the data is strings so I want to use something like Jinput to sanitize it.
Is there is something Joomla already have for this purpose?
It would be ideal to have something like
$field = JSanitizer::get($data/*array with data*/, "fieldname"/*name of field*/,
'string'/*type of data*/, 'null'/*default value*/);
Also I would need it to work both in Joomla 2.5 and 3.0 versions.
You are probably looking for JFilterInput::clean() This would work as follows:
$field = JFilterInput::clean($data[$fieldname], 'filter');
This does not give a way to set a default value, so you would have to handle that afterwards. This should be the same filtering that is typically done with JInput as well as on JForm elements if you write custom components.
I can't seem to find a good list of all the filters, but you can see an old version of the source here: http://docs.joomla.org/API16:JFilterInput/clean. Most recent version of the function starts at line 162 here: https://github.com/joomla/joomla-cms/blob/master/libraries/joomla/filter/input.php
Note also that you want to pull the field out of the data array yourself. You can actually send it the entire array without a filter setting and it should at least check the entire array for XSS and other issues. If you want more nuanced filtering for integers and such, it would best to do it field by field.
$field = JFilterInput::clean($data[$fieldname], 'filter');
will fire a notice
"Non-static method JFilterInput::clean() should not be called statically"
You should initiate this with JFilterInput::getInstance() first and call it dynamically e.g.:
$field = JFilterInput::getInstance()->clean($data[$fieldname], 'filter');
Tom
You should read Joomla docs and use something like this before parsing file : $string = JRequest::getString( 'description' );
This should work across all version since 1.5
There has been some github projects to implement html purifier as plugin, i found this, but havent chance to tested it, but it should work though.
I want to enable users to edit pages with editor (CKEditor).
The problem is that I want to prevent XSS, so when I'm using:
$this->input->post('content', TRUE)
it also removes some html conent, for example, the following code:
<script></script><p><span style="color:#800000;">text</span></p>
becomes to:
[removed][removed]<p><span
So yes, it prevents XSS, but also removes some necessary html content.
What should I do to fix it?
Don't use their built in XSS functionality. Use HTML purifier to do it for you. That way you have more control over what is and isn't removed.
try this simple way change this code $this->input->post('content', TRUE) into $_POST['content'] its work for me because codeigniter will do XSS filtering when run $this->input
Instead of this you can use below code.
$content = htmlspecialchars($this->input->post('content'));
The save to database and at the time of retrieval, you can use
htmlspecialchars_decode('your html code');
I am writing my own download tracker and i want to offer users the ability to show a custom message on the download page. I want to allow html and javascript, so users can write a paragraph or use an ad code etc.
I am storing my settings in a config file (not the best way I know)
Example: <?php define("WAIT_MESSAGE", "htmlcodehere"); ?>
The problem is that quotes or slashes mess up the config file and the settings page will not load. I've looked into add slashes to try and escape these characters but it just adds multiple slashes.
What would be the best way to store html content/javascript in my config file?
EDIT: Have tried a few methods, but with all them quotes are escape each time i click save to update the config file \"hello\" becomes \"hello\" etc
You should NOT trust your users so mutch that you let them post and save JavaScript and HTML on your site.
Allowing users to actually insert HTML/Javascript/PHP in to your page is a very bad thing to do
Having said all that the problem is one that plagues us all from time to time. What you need is to store the HTML code in some format that is not going to change the meaning of the code above.
This problem is usually resolved by converting any such characters to their equivalent HTML entities so that you can safely store the
Take a look at http://php.net/manual/en/function.htmlspecialchars.php and http://www.php.net/manual/en/function.htmlspecialchars-decode.php for more info.
Have you tried it like with single ' ?
<?php define('WAIT_MESSAGE', '<p>Please wait.. your download starts shortly</p>'); ?>
That is not safe at all. Someone could easily inject PHP into it.
What you can do (which is a bit hacky), is to base64_encode() the data, and base64_decode() it when you need to use it. Doing that will get rid of the quotes/special characters problem, and the security problem.
Once you've written the base64_encoded HTML in the config file, to use it, you'll do:
<?php
echo base64_decode(WAIT_MESSAGE);
?>
Personally I would hold any editable values within a database to be safe,
but if you really want/need to edit a php config file then perhaps this is the safest way.
<?php
/*Function to check if magic_quotes is enabled.
(Stops double slashes happening)
*/
function check_magic_quotes($value){
if (get_magic_quotes_gpc()) {
return stripslashes($value);
} else {
return $value;
}
}
/*Form was posted,
You should also do a check to see if logged in and have rights to edit*/
if($_SERVER['REQUEST_METHOD']=='POST'){
//Check for magic quotes and then base64_encode the string.
$value = base64_encode(check_magic_quotes($_POST['configVal']));
/*Use heredoc to create the php line for the config & insert the
base64 encoded string into place*/
$config=<<<CONFIG
<?php define("WAIT_MESSAGE", '$value'); ?>
CONFIG;
file_put_contents('someConfig.php',$config);
}
//When you want to include the config
include('someConfig.php');
/*To echo out the config value: base64_decode it,
and then htmlentities encode it, to protect from XSS*/
echo 'This was included: '.htmlentities(base64_decode(WAIT_MESSAGE));
//Basic form with current value when someConfg.php has not been included
$config = file_get_contents('someConfig.php');
preg_match("#\"WAIT_MESSAGE\", '(.*?)'#",$config,$match);
?>
<form method="POST" action="">
<p>Config Value:<input type="text" name="configVal" value="<?php echo htmlentities(base64_decode($match[1]));?>" size="20"><input type="submit" value="Update"></p>
</form>