search

qam4 / ebattles

Automatically exported from code.google.com/p/ebattles
1 stars 1 forks source link

Security: Always use htmlspecialchars on textarea output #9

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Security: check every textarea / input style="text" and see if we use 
htmlspecialchars when treating the output.

Original issue reported on code.google.com by frederic...@gmail.com on 3 Sep 2009 at 6:45

GoogleCodeExporter commented 9 years ago

Original comment by frederic...@gmail.com on 3 Sep 2009 at 6:46

GoogleCodeExporter commented 9 years ago

Original comment by frederic...@gmail.com on 3 Sep 2009 at 6:52

GoogleCodeExporter commented 9 years ago 
Here is an example of how to use e107 functions for textareas.
Admin Preferences available:
 - Enable WYSIWYG textareas:
   Will display a what-you-see-is-what-you-get editor in textareas when available. Applies only to 
Admins and Users that are allowed to post HTML
 - Allow HTML posting userclass:
   This will allow users to post HTML code anywhere on the site, select the userclass to allow this.
 - If WYSIWYG is not available, a BB code help toolbar is displayed.

Security, Data Filtering:
 - Posted data is filtered by $tp->toDB() function before insertion in database.
 - Displayed data is filtered by $tp->toHTML() function before being displayed.

--------------------------------------------------------------
require_once(HEADERF);  // defines e_WYSIWYG

//these have to be set for the tinymce wysiwyg
global $e_wysiwyg;

// Specify if we use WYSIWYG for text areas
$e_wysiwyg  = "textarea_name";
if (e_WYSIWYG)
{
    $insertjs = "rows='25'";
}
else
{
    require_once(e_HANDLER."ren_help.php");
    $insertjs = "rows='15' onselect='storeCaret(this);' onclick='storeCaret(this);' 
onkeyup='storeCaret(this);'";
}
--------------------------------------------------------------
// Form
$post = isset($_POST['textarea_name'] ? $tp->toDB($_POST['textarea_name']) : '';

// Show textarea
$text .= '<textarea class="tbox" id="textarea_name" name="textarea_name" 
style="width:500px" 
cols="70" rows="4" '.$insertjs.'>'.$post.'</textarea>';
if (!e_WYSIWYG)
{
    // display BB code help
    $text .= "<br />".display_help("helpb","comment");
}
--------------------------------------------------------------
// After form submit, before insert to database
$post = $tp->toDB($_POST['textarea_name']);

$q = "INSERT INTO TBL(post) VALUES ('$post')";
$result = $sql->db_Query($q);

--------------------------------------------------------------
// Display
$post  = mysql_result($result,0, TBL.".post");

$text .= $tp->toHTML($post, true)."<br />\n";

Original comment by frederic...@gmail.com on 11 Dec 2009 at 4:51

GoogleCodeExporter commented 9 years ago 
This issue was closed by revision r147.

Original comment by frederic...@gmail.com on 11 Dec 2009 at 8:30