CouchCMS • View topic - db_persist tag is storing HTML special characters for text

Problems, need help? Have a tip or advice? Post it here.

3 posts Page 1 of 1

db_persist tag is storing HTML special characters for text

: shubhamSonar; Registered User

: Posts: 10; Joined: Thu May 25, 2017 12:43 pm

by shubhamSonar » Wed Jun 07, 2017 6:57 pm

Hi there, I am submitting some data using a seperate PHP script in following manner. Problem is that in my surveyResponses.php template there exist three text type editable regions viz. account, service_category, and sub_service_category. This fields values are stored into the database with html special characters. I tried to use some PHP functions with it still its getting inserted the same.

for example:

At&T is getting inserted as AT&T

Code: Select all

<cms:php>
  if(isset($_POST['submit'])){
   
   global $CTX, $FUNCS;
   
   
   $account = $FUNCS->cleanXSS($_POST['account']);
   $category = $FUNCS->cleanXSS($_POST['service_category']);
   $sub_service_category = $FUNCS->cleanXSS($_POST['sub_service_category']);
   $email = $FUNCS->cleanXSS($_POST['email']);

   $questionCount = $_POST['questioncount'];
   $CTX->set( 'questioncount', $questionCount);
   
   /* Send data from PHP to Couch */
   $CTX->set( 'account', $account );
   $CTX->set( 'service_category', $category);
   $CTX->set( 'sub_service_category', $sub_service_category);
   $CTX->set( 'email', $email);
  }
</cms:php>

<cms:repeat count="<cms:show questioncount />" startcount='0'>
   <cms:php>
      global $CTX, $FUNCS;
      
      $questionNo = question."<cms:show k_count />";
      $answerNo = answer."<cms:show k_count />";
      
      $question = $FUNCS->cleanXSS($_POST["$questionNo"]);
      $answer = $FUNCS->cleanXSS($_POST["$answerNo"]);
      
      $CTX->set('question',$question);
      $CTX->set('answer',$answer);
      $CTX->set('randomName',"<cms:random_name />");
   </cms:php>
   
   <cms:db_persist
      _masterpage='surveyForm.php'
      _mode='create'
      _invalidate_cache='0'
      _autotitle='0'
      k_page_title=question
      k_page_name=randomName
      question=question
      answer=answer
   >
   
   <cms:if k_error >
        <font color='red'>ERROR:
        <cms:each k_error >
            <cms:show item /><br>
        </cms:each>
        </font>
      
    <cms:else />
   
      <cms:if k_count='0'>
         <cms:set pageIds="<cms:show k_last_insert_id />" 'global' />
         <cms:else/>
         <cms:set pageIds="<cms:show pageIds /> , <cms:show k_last_insert_id />" 'global' />
      </cms:if>
   
    
    </cms:if>
</cms:db_persist>   
</cms:repeat>


<cms:php>
      global $CTX;
      $CTX->set('randomName',"<cms:random_name />");
</cms:php>

<cms:db_persist
         _masterpage='surveyResponses.php'
         _mode='create'
         _invalidate_cache='0'
         _autotitle='0'
         k_page_title=account
         k_page_name=randomName
         response_details=pageIds
         account=account
         service_category=service_category
         sub_service_category=sub_service_category
         email=email
/>

Re: db_persist tag is storing HTML special characters for te

: KK; Moderator

: Posts: 8622; Joined: Wed Dec 01, 2010 5:35 pm

by KK » Thu Jun 08, 2017 12:33 am

Hi,

That is the $FUNCS->cleanXSS sanitizing submitted data to prevent XSS.

Normally, it is a good thing but if you are sure you are not going to output that data anywhere on the frontend, you can skip that security feature by removing that routine from your code.

Hope it helps..

Re: db_persist tag is storing HTML special characters for te

: shubhamSonar; Registered User

: Posts: 10; Joined: Thu May 25, 2017 12:43 pm

by shubhamSonar » Fri Jun 09, 2017 11:08 am

Hi,

It happens to be something different is happening cause I have a different form working in same manner. But when I am sending the same data that is set using cms:set tag to a HTTP Rest API the data is going to be as '&' and same stored in DB is '&'. Please suggest.

Following is snippet of my other form submission:

Code: Select all

<?php require_once('../onyxadmin/cms.php'); ?>
<?php require_once('parser.php') ?>


<cms:template hidden='1' title='Script' />
<cms:php>
  if(isset($_POST['submit'])){
   
   global $CTX, $FUNCS;
   
   
   $template = $FUNCS->unhtmlspecialchars($_POST['template']);
   $account = $FUNCS->unhtmlspecialchars($_POST['account']);
   $opportunityName = $FUNCS->unhtmlspecialchars($_POST['opportunity-name']);
   $email = $FUNCS->unhtmlspecialchars($_POST['email']);
   $closeDate = $FUNCS->unhtmlspecialchars($_POST['close-date']);
   $stage = $FUNCS->unhtmlspecialchars($_POST['stage']);
   
   /* Send data from PHP to Couch */
   $CTX->set( 'template', $template );
   $CTX->set( 'account', $account);
   $CTX->set( 'opportunityName', $opportunityName);
   $CTX->set( 'closeDate', $closeDate);
   $CTX->set( 'email', $email);
   $CTX->set( 'stage', $stage);
  }
  
  $CTX->set('randomName',"<cms:random_name />");
</cms:php>

<cms:db_persist
  _masterpage='opportunities.php'
  _mode='create'
  _invalidate_cache='0'
  _autotitle='0'
  k_page_title=account
  k_page_name=randomName
  name=opportunityName
  account=account
  stage=stage
  template=template
  email=email
  close_date=closeDate
>

<cms:if k_error >
        <font color='red'>ERROR:
        <cms:each k_error >
            <cms:show item /><br>
        </cms:each>
        </font>
      
    <cms:else />
       <cms:set insertionCheck="<cms:show k_last_insert_id />" />
</cms:if>

</cms:db_persist>

<cms:php>
global $CTX, $FUNCS;   
if(isset($_POST['submit'])){
   $APIAuth = new parser(
   "<cms:get_custom_field 'consumer_id' masterpage='globals.php' />", 
   "<cms:get_custom_field 'consumer_secret_key' masterpage='globals.php' />",
   "<cms:get_custom_field 'username' masterpage='globals.php' />",
   "<cms:get_custom_field 'password' masterpage='globals.php' />",
   "<cms:get_custom_field 'security_token' masterpage='globals.php' />",
   "<cms:get_custom_field 'url' masterpage='globals.php' />");
   
   $parameters['httpHeader'] = $APIAuth->get_authorization_parameters();
    
   
   $PushData = array();
   $data['account'] = "<cms:show account />";
   $data['opportunityName'] =  "<cms:show opportunityName />";
   $data['closeDate'] = "<cms:show closeDate />";
   $data['stage'] = "<cms:show stage />";
   
   $salesforcePushData['data'] = $data;
   
   $parameters['postfields'] = json_encode($PushData, JSON_UNESCAPED_SLASHES);

   $check = ' * '; //*Here is the call to HTTP REST API which return boolean true if success or false
   $CTX->set('submitResult', 1);   
}
</cms:php>
<cms:if submitResult>
         <h2>Inserted Successfully</h2>
    <cms:else/>
    <h2>Not inserted</h2>
</cms:if>
<?php COUCH::invoke(); ?>

Here the data stored in the database contains '&' whereas is properly conveyed as '&' at other end. Also if I don't use the unhtmlspecialchars function and just $_POST then also its happens the same.

Post a reply

Previous Next

3 posts Page 1 of 1

Return to Bug Reporting and Troubleshooting