| Author |
 Topic Search  Topic Options
|
djlurchg 
Groupie
Joined: 31 March 2006
Status: Offline
Points: 40
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: Quotation Marks Not Replaced When Upgrading
Posted: 10 May 2006 at 4:46pm |
|
Borg:
Yes, it's me again.
You missed another quotation mark issue.
To reproduce the error log on with admin priveledges (ability to edit posts). Edit the first post in a thread. Change the subject of the thread to something like... "WWF Rules" - Tester
Save. Then click on edit again. Nothing will show up in the subject box. Looking at the HTML code you will find value=""WWF Rules" - Tester".
You need to use Server.HTMLEncode or some other trick to convert your quotation marks.
Otherwise, I just upgraded from RC1 to the current release. Nice job.
Edited by djlurchg - 12 May 2006 at 8:29pm
|
 |
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 11 May 2006 at 10:01am |
|
I've been trying now for about 20 minutes to replicate this error but I can not.
The code should be change quotes (") to "e; to HTML encode it.
In all tests I have done using your example above it is encoded like this everytime, I have been trying different methods for about 20 minutes, but it is always encoded.
The only thing I can think is that you may have a corrupted file, so try reuploading the original files again.
If the problem persists could you post a step by step guide on how you did this so that I can try and replicate the problem?
|
|
|
|
djlurchg
Groupie
Joined: 31 March 2006
Status: Offline
Points: 40
|
Post Options
Thanks(0)
Quote Reply
Posted: 11 May 2006 at 2:50pm |
|
Borg:
Sorry, but I presumed the posted steps would reproduce the error. The steps were based on my superficial analysis of the problem.
I went to the trouble of restoring my forum database from a daily backup to try and recreate the problem. I did some additional debugging and I think I now can provide reproducable steps.
Using the Access DB backend, open the forum database. Open the table that contains the thread titles (tblTopic). Now change the thread title to something like:
This is the "Thread" Title
Now, log on with admin priveledges. Go to the thread with the above mentioned title. Click on the Edit button to edit the thread title.
Voila, the form should display:
The is the
If you look at the source code it will say:
value="This the the "Thread" Title
PS: Another odd thing that I noticed when looking at the tblTopics table was that some characters were URL encoded. For example:
Here is a &0124;ample
Where &024; was equal to S when displayed. The URL code was used for example as I can't remember if it was &023; or &034; or what it was.
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 12 May 2006 at 8:48am |
|
I'm not sure why you are entering data directly into the database as this circumnavigates the forums 'HTML Secure' engine which parses data inputted into the forum and replaces things like quotes with HTML encoded ("e), before being written to the database.
If you use the forum in the way it was intended you should never get this problem, also by entering data directly into the database you will course other issues within your forum.
The 'HTML Secure' technology also encodes other characters when parsing user input which is why you get other encoded characters within user input, this is mainly to prevent XXS hacking, but is also useful for preventing other types of hacking.
|
|
|
|
djlurchg
Groupie
Joined: 31 March 2006
Status: Offline
Points: 40
|
Post Options
Thanks(0)
Quote Reply
Posted: 12 May 2006 at 11:04am |
|
The reason was that I was trying to reproduce the original error. I've no idea how the quotation marks got into the Topic title. I'm guessing that the original poster put them in before I had upgraded to the latest version. At some point in your development cycle (V6?) the input was not converted properly.
---
I just checked by entering a thread topic with quotation marks.
Via the application form (not the mdb table editor) I entered
This is "for" Borg
The resulting databse entry is:
This is "for" Borg
So, it appears to be working.
The problem appears to be: in an old version of the software (which I was using up until V8RC1 came out) the quotation marks did not get converted to HTML encoded format.
Apparently at some point you switched from actually using the correct data (" mark) to another approach (HTML encoded) method to storing data.
----
On a related note, why is one of the field entries in the topic table have a value of:
Custom Forms: Phase 1
Instead of:
Custom Forms: Phase 1
?
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 12 May 2006 at 11:28am |
|
Version 6 didn't have the same level of security as version 7 and version 8 has, and didn't encode the user input in the same way.
There are a number of words that are HTML encoded to prevent XSS hacks, these are words such as:-
form
onClick
onMouseOver
vbscript
javascript
cookie
script
and a number of others, by HTML encoding characters within these words when displayed in a web browser prevents the web browser from executing these statements as events if manipulated by a hacker to do so, thus preventing XXS hacking.
|
|
|
|
djlurchg
Groupie
Joined: 31 March 2006
Status: Offline
Points: 40
|
Post Options
Thanks(0)
Quote Reply
Posted: 12 May 2006 at 8:33pm |
|
Nice call there borg! I had forgotten about those tricks :)
|
|
