Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Server Validation failure issue in HTML Editor

Thread began 2/08/2011 12:45 pm by Jason Byrnes | Last modified 7/22/2013 10:29 am by Jason Byrnes | 3008 views | 10 replies |

Jason ByrnesWebAssist

Server Validation failure issue in HTML Editor

Using Server Validation from CSS Form builder or Form Toolkit on an HTML Editor instance, when validation fails, the HTMLEditor content will be encoded.


to fix the issue, edit the webassist/form_validation/wavt_validatedform_php.php file. change:

php:
return str_replace("<","&lt;",str_replace(">","&gt;",str_replace('"',"&quot;",$retVal)));



to:

php:
return htmlspecialchars($retVal);
Sign in to reply to this post

Andrew Read

It should also be noted that you should change the same line of code in the wavt_validatedform_php.php file located in the configuration folder under \Shared\WebAssist\FormValidations\Scripts\ as well so that it (A) doesn't overwrite the existing files and (B) adds the correct code for any new instances.

Sign in to reply to this post

Jason ByrnesWebAssist

Not necessarily Andrew.


That code was implemented to prevent Cross Site Scripting attacks. by removing it from all future instances of using the Server Validations would make your forms vulnerable to Cross Site Scripting.

This change should only be made for administration forms where you trust the person filling the form in.

It should not be implemented for public forms where you do not know who is filling the form.

Sign in to reply to this post

Andrew Read

  That code was implemented to prevent Cross Site Scripting attacks. by removing it from all future instances of using the Server Validations would make your forms vulnerable to Cross Site Scripting.  



Fair enough.. for my purposes these all sit in the administrative zone, as such, I have changed that main file.

Sign in to reply to this post

Jason ByrnesWebAssist

That's fine, but I wanted to caution others from taking your advice if they are creating public facing forms.

Public facing forms should not have this modification applied.

Sign in to reply to this post

Andrew Read

Originally Said By: Jason Byrnes
  That's fine, but I wanted to caution others from taking your advice if they are creating public facing forms.

Public facing forms should not have this modification applied.  



Even if they change this file ONLY within the local site, all of the forms using HTML Editor on that site will reference this modified file.

It should be noted that the reality is: Whether or not you change the main file, the one you did change (local to the site) will make your public forms less secure on these sites.

All HTMLeditor instances reference this file - public and private - unless you specifiy a different version of the file for each type of location (public / private), which is not the default and must be hand coded.

All the more reason that this should be quickly moved up on the 'things to fix' list - this is now a security issue, which is cause for concern.

Sign in to reply to this post

Jason ByrnesWebAssist

the engineering team is looking into correcting the problem.

Sign in to reply to this post

Jason ByrnesWebAssist

I updated the initial post for this sticky to use:

php:
return htmlspecialchars($retVal);




which will prevent the security issue, and correct the problem.

Sign in to reply to this post

toms016390756

Thanks Mate!

Sign in to reply to this post

anthony.tanner286315

So Why do I get a WA_js alert whe I try to validate my form through spry

Originally Said By: 89936
  Using Server Validation from CSS Form builder or Form Toolkit on an HTML Editor instance, when validation fails, the HTMLEditor content will be encoded.


to fix the issue, edit the webassist/form_validation/wavt_validatedform_php.php file. change:
php:
return str_replace("<","&lt;",str_replace(">","&gt;",str_replace('"',"&quot;",$retVal)));


to:
php:
return htmlspecialchars($retVal);
  


Hi I created a large form for a client and bound it to a mysql database in CS3 & Windows 8. My software was freezing when I tried to validate the form. So I purchased CS6, Data Bridge, and now hen I try to validate the form from CS6 I get the following alert.

While exectuting onLoad in spryValidation Textfield.htm, the following JavaScript error(s) occured
At line 132 of file C:\Configuration\Shared\Spry\DesignTime\EditingUtils.js:WA_getDocumentDOM is not defined

I am assuming that WA stands for Web Assist so there seems to be a conflict between DW Spry and Data Bridge configuration. How can I fix this

As stated I am using Windows 8, in DW CS6 (but the form was originally set up and bound in CS3) and Databridge. I know that there is no issue CS3 since when I make a new form in CS6 I get the same alert. But when I use the formbuild presets in Data Bridge the Spry validation works. This form is large, and so is the DB. I don't really want to start the form process again and besides the conflict needs to be resolved. Please can someone advise

Tony Tanner
PS I get the same alert after I disabled Data Bridge

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...