$HTML_SUBST problem in displayecard.php $HTML_SUBST problem in displayecard.php
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

$HTML_SUBST problem in displayecard.php

Started by Titooy, December 23, 2005, 02:08:39 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Titooy

December 23, 2005, 02:08:39 PM Last Edit: August 15, 2006, 07:59:36 AM by TranzNDance
since $HTML_SUBST contains '&' => '&', all the &xxx; characters are broken in displayecard.php because of line 43
Code Select
foreach($data as $key => $value) $data[$key] = strtr($value, $HTML_SUBST);

kat-long

#1
July 06, 2006, 07:42:22 AM
When you click on the ecard the link that takes you to the gallery, if you used an apostrophe in your title of message, it gets replaced with '
Try it it: http://206.125.210.89/cpg148/displayimage.php?album=3&pos=2

Sami

#2
July 06, 2006, 07:50:12 AM
you are right
"Alternate link if the e-card does not display correctly" will send you to displaycard.php and here we have " instead of " (every special charcter get filtered)
I think it's a bug
‍I don't answer to PM with support question
Please post your issue to related board

Clanger

#3
August 12, 2006, 07:02:04 PM
Yes, I've noticed this too, it's not just the apostrophe, these characters are also a problem  "  &  <  >.

Doesn't matter where they appear, in the subject line, message body or sender name, always get switched.

Only a problem when viewed via displayecard.php.

Tranz

#4
August 13, 2006, 05:08:01 PM
In displayecard.php:

FIND:
Code Select
foreach($data as $key => $value) $data[$key] = strtr($value, $HTML_SUBST);


REPLACE with:
Code Select
foreach($data as $key => $value) $data[$key] = html_entity_decode(strtr($value, $HTML_SUBST));


Since the encoding is a security feature, I'll need another dev to confirm it is okay to decode the html entities before committing the fix to svn.

Tranz

#5
August 13, 2006, 05:12:01 PM
Merged two threads reporting the same issue. :)

Joachim Müller

#6
August 14, 2006, 08:24:48 AM
Hm, this has to be considered thoroughly indeed: a link can only make it into those fields using bbcode, so we have to rely on the bbcode mechamisms to make sure no malevolent link can make it into the output. Imo, the code fix you suggested should go into the core, as there's nothing particularly different in ecards than in any other regular coppermine page that outputs user input on a page.
Yes, Thu: please go ahead and commit.

Tranz

#7
August 15, 2006, 07:59:14 AM
Fix committed to svn in stable and devel branches.

Nibbler

#8
October 27, 2006, 02:49:59 AM
html_entity_decode() is a PHP 4.3 function, you can't use that without raising the minimum requirements.

You can use

Code Select
strtr($value, array_flip($HTML_SUBST));

instead.
Print
Go Up Pages1
User actions