Translations won't show

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Add translation notes, save.
2. Refresh the page.

What is the expected output? What do you see instead?
http://i.imgur.com/TYrojs9.jpg
Boxes appeared solid instead of transparent. They're moved from their original 
saved position. Translation won't appear when hovering mouse over these boxes. 
I can't hide nor delete these boxes either.

What version of the product are you using? On what operating system?
1.0.2, Win 7 64x.

Please provide any additional information below.
Post 8 was the first image which I added translation to. The problem described 
above affected all posts from 9 onward. With post 8, I can still see 
translation, add, delete, and hide boxes normally. After that, I tried adding 
translations for post 1->7 and see that they work too.

However, in the "working" posts (1->8), HTML text formating only work right 
after saving. They're broken after refreshing.

Original issue reported on code.google.com by saluki.n...@gmail.com on 8 Apr 2013 at 6:11

[GoogleCodeExporter]

That seems to be a Javascript problem.
Is the server online?
If not, what browser do you use?
If you use Chrome, press Ctrl + J to bring up the Javascript console. Then go 
to any of the posts where the notes don't work and see if any error is logged.

What do you mean with "HTML text formating"?

Original comment by asterixvader on 8 Apr 2013 at 7:17

• Changed state: Accepted

[GoogleCodeExporter]

I'm using offline server. The problem happens in both Firefox 21 and Chrome.

Javascript console gave "Uncaught SyntaxError: Unexpected identifier" for posts 
where notes don't work.

HTML text formating are , <i></i>, <a href=...></a>, etc.

Original comment by saluki.n...@gmail.com on 8 Apr 2013 at 8:49

[GoogleCodeExporter]

I'm unable to do anything if I can't track down the error.

Unless you do this: go to the page with error, press Ctrl+S, save it and upload 
it here. Preferably with Chrome. I might be able to track the error that way.

As for HTML, notes don't support HTML. You aren't supposed to enter HTML there, 
just imagine the potential danger. It doesn't work after refreshing because 
it's encoded server-side.

Original comment by asterixvader on 8 Apr 2013 at 9:21

[GoogleCodeExporter]

Sure, I attached the webpage.

>As for HTML [...]
I understand the potential danger. But is there any way I can turn the support 
on? 

On that note, Danboory had been supporting HTML in notes for years. Do they 
have an extra security method to cover that or are they just accepting the risk?

Original comment by saluki.n...@gmail.com on 8 Apr 2013 at 9:40

Attachments:

• [1girl blonde hair bust fan folding fan from behind hat solo touhou translated yakumo yukari zounose Image Manager.htm](https://storage.googleapis.com/google-code-attachments/my-imouto-booru/issue-104/comment-4/1girl blonde hair bust fan folding fan from behind hat solo touhou translated yakumo yukari zounose Image Manager.htm)

[GoogleCodeExporter]

Please send all the saved files, not just the .htm file~

Ah. I just checked the code and yes, you're right, it's supposed to allow HTML. 
The thing was that I couldn't (or didn't bother to) find an HTML sanitizer, so 
I opted to just encode the HTML.

If you want avoid it from being encoded, it's simple:
1. Open the file app\views\post\show_partials\_image.php
2. Go to line 11, you'll see this: <?= $this->h($note->formatted_body()) ?>
3. Remove the $this->h(), so it's: <?= $note->formatted_body() ?>
Note that you'd have to do this after every system update.

I'll try to find a light HTML sanitizer. Thanks for pointing it out.

Original comment by asterixvader on 8 Apr 2013 at 9:55

[GoogleCodeExporter]

Lol sorry, here you go again. And thanks for the tip.

Original comment by saluki.n...@gmail.com on 9 Apr 2013 at 3:53

Attachments:

• [Image Manager_files.zip](https://storage.googleapis.com/google-code-attachments/my-imouto-booru/issue-104/comment-6/Image Manager_files.zip)

[GoogleCodeExporter]

Alright... The reason is a different problem.

If you still have this problem, try creating a topic in the forum.

Original comment by asterixvader on 12 Apr 2013 at 1:32

• Added labels: Component-Persistence

[GoogleCodeExporter]

I still have this problem even after a clean install of 1.0.3 (not upgrade). 
Now I can't create notes on any post.

I can create a topic in the forum fine.

Original comment by saluki.n...@gmail.com on 12 Apr 2013 at 8:42

[GoogleCodeExporter]

Alright, I think I found out what the problem is.

Plase go to the file and line I mentioned before, and add the addslashes 
function, so it looks like this:

<?= addslashes($this->h($note->formatted_body())) ?>

Let me know if that fixes the problem.

Original comment by asterixvader on 12 Apr 2013 at 10:29

• Added labels: Component-Logic
• Removed labels: Component-Persistence

[GoogleCodeExporter]

So line 11 became
<div class="note-body" id="note-body-<?= $note->id ?>" title="Click to 
edit"><?= addslashes($this->h($note->formatted_body())) ?></div>

That doesn't fix it...

Do you have this problem in your install as well, or is this entirely on my end?

Original comment by saluki.n...@gmail.com on 12 Apr 2013 at 11:31

[GoogleCodeExporter]

I don't have problems with notes. But I checked for Javascript errors in the 
evidence you uploaded and I found there was..... wait.

My bad. Not in that line, remove the addslashes() there and add them in line 44:

Note.all.push(new Note(<?= $note->id ?>, false, '<?= 
addslashes($this->h($note->body)) ?>'))

If that doesn't fix the problem I will delete this project entirely.

Original comment by asterixvader on 13 Apr 2013 at 12:29

[GoogleCodeExporter]

Yay, that fixed it. Thank you!

Curious question: why doesn't my php run addslashes() by default but yours does?

Original comment by saluki.n...@gmail.com on 13 Apr 2013 at 9:57

[GoogleCodeExporter]

The thing was that your notes have single quotes (') and that screwed up the JS 
code:

Note.all.push(new Note(15, false, 'This won't work'))

As you can see, the string would be "This won" and the following characters 
would cause the "Uncaught SyntaxError: Unexpected identifier" error you saw on 
the console.

I never entered single quotes in my notes, hence I couldn't have this problem.

I checked Moebooru and the escaping is there:

Note.all.push(new Note(<%= note.id %>, false, '<%= h note.body.to_escaped_js 
%>'))

But I worked on this section long, long time ago. Apparently I didn't mind 
checking what the "to_scaped_js" method does and I just skipped it, hehe... 
...this is actually a pretty important security issue.

Many thanks for reporting~

Original comment by asterixvader on 13 Apr 2013 at 11:54

• Changed state: Verified
• Added labels: Priority-High
• Removed labels: Priority-Medium