I created a form that included an input type="textarea" and after submit (if there was an edit error for example), the contents of the textarea were redisplayed to show all the special characters as html entities. I realize that they're being processed to protect me from code insertion, but is there a way to not show the user those confusing characters to the user after they've submitted (like with the php htmlentities() function)?

Entered:

Code: Select all

Let's use this "example"!

Displayed after processing:

Code: Select all

Let's use this "example"!

Still haven't found the fix for this.

Anyone???

[KK]

I'd suggest you please use the richtext editable region instead. You can turn off most of the buttons in its toolbar (please see the docs) so it will not look much different to a textbox but will show the quotes as you desire in its normal view (in its source-view, though, you'll see the same quotes as shown in the textarea).

No, I'm not talking about an editable region in the admin section, I'm talking about a "Contact Us" form that I put on a page:

Code: Select all

<cms:input type="textarea" cols="35" rows="5" name="message" required='1' label='Message'>/cms:input>

If the user fills in the textarea as I described, then the form maybe has an error in it and redisplays, that's when the textarea gets messed up.

[KK]

I'm afraid, that is a security measure and cannot be bypassed.

If that is really bothersome, you can try adding CKEditor to that textarea externally - include the required JS files and invoke CKEditor. The details can be found on CKEditor's site.

[trendoman]

If the user fills in the textarea as I described..

There is nothing wrong to use default html <textarea>. If you need to work with the value of your submitted textarea inside k_success, you can get its value and store as a frm variable for unity. Please try the following piece:

Code: Select all

<pre>
    <cms:form name='form' method='post' >
  
      <cms:if k_success >
          <cms:set frm_comment = "<cms:gpc 'comment' />" scope='parent' />
          <cms:dump />
              <cms:hide>FOR SECURITY REASONS</cms:hide>
              SUBMITTED: <cms:show frm_comment />
              <cms:set frm_comment = "<cms:html_encode><cms:show frm_comment /></cms:html_encode>" scope='parent' />
              SECURED: <cms:show frm_comment />
      <cms:else_if k_error />
          <cms:set frm_comment = "<cms:gpc 'comment' />" scope='parent' />
          <cms:dump />
      </cms:if>
      
      <textarea name="comment" >"hello"</textarea>
      <cms:input type='submit' name='submit' />
      
    </cms:form>
</pre>

You can see, we look for the value of submitted textarea, then show it to the user as is. For our internal work with submitted data we may later impose the same security operation to make sure against script attacks.

Trendoman: THanks for the suggestions, but I've played with your code (and mine) for hours and still can't get this to work "nicely". If I use an html <textarea> then it's not included in the k_success variable so I'm stuck with the <cms:input type="textarea"... approach. I just don't understand why the translated html entities have to appear onscreen after submitting with an error. It's very confusing to the user submitting the form to see this gibberish and they try to correct the text before resubmitting. Here's an example:

Code: Select all

<?php require_once( 'couch/cms.php' ); ?>
<cms:template title='Test'>
</cms:template>
<!DOCTYPE html>
<html lang="en">
<head>
</head>
<body>
   <h2>TEST</h2>
    <cms:form name='form' method='post' >
      <cms:if k_success >
          <cms:dump />
          <p>Success</p>
      <cms:else_if k_error />
          <cms:show k_error />
        <p>Error!</p>
      </cms:if>
      Book:<cms:input type="text" name="book" required='1' validator='min_len=20' />
      Desc:<cms:input type="textarea" name="comment" ><cms:show frm_comment /></cms:input>
      <cms:input type='submit' name='submit' value='submit' />
    </cms:form>
</body>
</html>
<?php COUCH::invoke(); ?>

Form as filled in:

before.png (3.82 KiB) Viewed 3677 times

Form after submitting with an error:

after.png (6.14 KiB) Viewed 3677 times

[cheesypoof]

I find it to be quite an annoyance as well @wysocki. I imagine for users, it is also a source of confusion.

I haven't investigated @trendoman's solution, but maybe he can help you get it working.

Server-side solutions to this make me nervous about the potential for introducing vulnerabilities. I would personally perhaps tackle this issue with JavaScript by updating the input values with the help of jQuery and a library such as https://github.com/mathiasbynens/he.

[trendoman]

If I use an html <textarea> then it's not included in the k_success variable

Can't agree here. The thing is, to be included in k_success area, Couch creates internally frm_* variables for each of its cms:input. So, we can also create these variables externally in code for bare-bone html5 inputs. And name them the usual way (as we like).

Code: Select all

<cms:set frm_book = "<cms:gpc 'book' />" scope="parent" />

The piece above would take the values from the submitted form and does the trick. Probably you forgot to include it in k_error. I am sure I have used creation of frm_comment in the previous answer.

Now, to show submitted values in your inputs "as is" we must remove couch inputs and have only html5 left. k_success will still have both variables, because we take care of it. Validation is now on the shoulders of browser and html5 code, instead of server-side validation. Below is a full working sample of such a form.

Code: Select all

  
     <cms:form name='form2' method='post' >
      <cms:if k_success >
          <cms:set frm_comment = "<cms:gpc 'comment' />" scope='parent' />
          <cms:set frm_book = "<cms:gpc 'book' />" scope='parent' />
          <cms:dump />
          <p>Success</p>
      <cms:else_if k_error />
          <cms:set frm_comment = "<cms:gpc 'comment' />" scope='parent' />
          <cms:set frm_book = "<cms:gpc 'book' />" scope='parent' />
          <cms:show k_error />
          <cms:dump />
        <p>Error!</p>
      </cms:if>
       Book:<input type="text" name="book" pattern=".{20,}" title="Minimum length - 20" required='1' value="<cms:show frm_book />">
       Desc:<textarea name="comment" ><cms:show frm_comment /></textarea>
      <cms:input type='submit' name='submit' value='submit' />
    </cms:form>
  

I have used title field for validation message. If it doesn't suit you completely then to customize validation error message there is another solution with a bit of JS. Instead of title place both commands below inside the target input and it will completely replace default browser message.

oninvalid="this.setCustomValidity('Put here custom message')"
oninput="setCustomValidity('')"

Hope this answers your request.
And, please, make sure to sanitize user-submitted values before storing in database or using somewhere. cms:html_encode would be enough.

... I agree that it looks very offputting and like there is an error for a user to see their name - say O'Connor - displayed as O&#039;Connor

I haven't been able to get trendoman's suggestion to work on a databound form which allows a registered user to edit their own profile (based on the example template profile.php). Are there any other solutions that anyone knows of?