close ad
Databridge V2 with MySQLi support IS Now Available!
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Where or what new condition is showing HTML characters?

Thread began 8/30/2018 4:13 pm by Steve | Last modified 11/12/2018 5:05 pm by Ray Borduin | 48 views | 4 replies |

Steve

Where or what new condition is showing HTML characters?

Hello,
I've had some sites no longer echo back HTML Text as rendered html. This worked fine but now I need use the htmlspecialchars_decode() function to solve the problem. It's a problem as this was not expected and it's disappointing when Customers are the ones making us aware of the change.

Solved as shown:
<?php echo htmlspecialchars_decode($info->getColumnVal("invDescr")); ?>

I guess it's unrealistic to expect rsobj.php automatically re-write with the htmlspecialchars_decode function. So what solutions do we have? Just remember if you work on a page that will render html content from a recordset value, you'll need wrap it in the noted function...

php:
public function getColumnVal($col,$crossSiteProtect=null) {

      if (is_null($crossSiteProtect)) $crossSiteProtect = $this->CrossSiteProtect;
      $colVal = "";
      if (isset($this->Results[$this->Index]) && isset($this->Results[$this->Index][$col])) {
          $colVal = $this->Results[$this->Index][$col];
          if ($crossSiteProtect) $colVal = htmlspecialchars($colVal);
      }
      return $colVal;
    }
Sign in to reply to this post

Ray BorduinWebAssist

The shortcut is to use:

<?php echo $info->getColumnVal("invDescr",false); ?>

You just have to add the extra "false" parameter to tell it to not add the cross site scripting protection on this field.

Sign in to reply to this post

Andrew

This is an extremely useful tip, I'd been tearing my hair out for hours trying to get my book descriptions to appear in my table with their lovely html coding intact, and then I finally spotted the crossSite code section in the getColumnVal function and thought 'hmmm, that's a solid lead to search for answers'... and after all that, ",false" is all it takes and everything's lovely again.

Sign in to reply to this post

neo314

I find this rather frustrating. I would prefer the default be to NOT have that feature and be able to add true to enable it. The vast majority of the time, I am displaying stored information that has been vetted, and would only want this protection on occasion. Using the bindings tab does not include a parameter, so I have to add it with nearly every insertion.

I can customize it in rsobj.php, but then any extension update or perhaps (I have not tested), will wipe out the change.

I would like to see a way to change the default behavior at instantiation.

perhaps adding it to the construct function like:
public function __construct($name,$conn,$maxRows=0,$hardLimit=false,$crossSiteProtect=true) {
...$this->CrossSiteProtect = $crossSiteProtect;

Actually, make that
public function __construct($name,$conn,$maxRows=0,$crossSiteProtect=true,$hardLimit=false) {
...$this->CrossSiteProtect = $crossSiteProtect;
because I think the CSP would be changed more often.

Alternatively a setter method to add to the RS code like:
$rs = new WA_MySQLi_RS("events",$conn_i,0);
$rs->CrossSiteProtect(false);

Sign in to reply to this post

Ray BorduinWebAssist

You can add it to the recordset directly just like you referenced in your code. That works. You have three options.

1) update it in the rsobj.php file (it won't be updated unless the version is updated. You can set the version to a very large number and it will never be updated)
2) update it in the recordset with: $rs->CrossSiteProtect = false; (you can do this at any point, even half way down the page if you want)
3) in each reference to $rs->getColumnVal()... you can turn it on in each reference if it is turned off in the rsobj.php or off when you want if it is on in the rsobj.php file

Sign in to reply to this post

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...