code can be written in input fields

Epihedron / Adventurer

Adventurer webpage and assests

epihedron.com

3 stars 0 forks source link

Closed 13ruce1337 closed 10 years ago

13ruce1337 commented 10 years ago

Since the values are presented in labels, more HTML can be written inside of the input boxes and shown on the character console on load.

13ruce1337 commented 10 years ago

Read up about HTML injections and SQL injections. Some good links:

Seems to be simple to fix. Also may need to switch to PDO because the mysql_real_escape_string() method will be deprecated as of PHP V.5.5.0

13ruce1337 commented 10 years ago

implemented htmlspecialchars() in PHP values before they are sent to HTML. this shows the code that was written to be executed on the page :+1:

13ruce1337 commented 10 years ago

huge PDO overhaul. only page not using it currently is the new character page. htmlspecialchars() does not play nice with PDO::fetchAll. From what I've read, it should be handled within the DOM/template engine.

13ruce1337 commented 10 years ago

now using this function to clean html strings in javascript before showing to view:

function strip(html) {
    var tmp = document.createElement("DIV");
    tmp.innerHTML = html;
    return tmp.textContent || tmp.innerText || "";
}

currently you must manually remove the value from the database.