Quotation Marks Not Replaced When Upgrading
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=19796
Printed Date: 09 April 2026 at 1:15am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Quotation Marks Not Replaced When Upgrading
Posted By: djlurchg
Subject: Quotation Marks Not Replaced When Upgrading
Date Posted: 10 May 2006 at 4:46pm
Borg:
Yes, it's me again.
You missed another quotation mark issue.
To reproduce the error log on with admin priveledges (ability to edit posts). Edit the first post in a thread. Change the subject of the thread to something like... "WWF Rules" - Tester
Save. Then click on edit again. Nothing will show up in the subject box. Looking at the HTML code you will find value=""WWF Rules" - Tester".
You need to use Server.HTMLEncode or some other trick to convert your quotation marks.
Otherwise, I just upgraded from RC1 to the current release. Nice job.
|
Replies:
Posted By: WebWiz-Bruce
Date Posted: 11 May 2006 at 10:01am
I've been trying now for about 20 minutes to replicate this error but I can not.
The code should be change quotes (") to "e; to HTML encode it.
In all tests I have done using your example above it is encoded like this everytime, I have been trying different methods for about 20 minutes, but it is always encoded.
The only thing I can think is that you may have a corrupted file, so try reuploading the original files again.
If the problem persists could you post a step by step guide on how you did this so that I can try and replicate the problem?
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: djlurchg
Date Posted: 11 May 2006 at 2:50pm
Borg:
Sorry, but I presumed the posted steps would reproduce the error. The steps were based on my superficial analysis of the problem.
I went to the trouble of restoring my forum database from a daily backup to try and recreate the problem. I did some additional debugging and I think I now can provide reproducable steps.
Using the Access DB backend, open the forum database. Open the table that contains the thread titles (tblTopic). Now change the thread title to something like:
This is the "Thread" Title
Now, log on with admin priveledges. Go to the thread with the above mentioned title. Click on the Edit button to edit the thread title.
Voila, the form should display:
The is the
If you look at the source code it will say:
value="This the the "Thread" Title
PS: Another odd thing that I noticed when looking at the tblTopics table was that some characters were URL encoded. For example:
Here is a &0124;ample
Where &024; was equal to S when displayed. The URL code was used for example as I can't remember if it was &023; or &034; or what it was.
|
Posted By: WebWiz-Bruce
Date Posted: 12 May 2006 at 8:48am
I'm not sure why you are entering data directly into the database as this circumnavigates the forums 'HTML Secure' engine which parses data inputted into the forum and replaces things like quotes with HTML encoded ("e), before being written to the database.
If you use the forum in the way it was intended you should never get this problem, also by entering data directly into the database you will course other issues within your forum.
The 'HTML Secure' technology also encodes other characters when parsing user input which is why you get other encoded characters within user input, this is mainly to prevent XXS hacking, but is also useful for preventing other types of hacking.
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: djlurchg
Date Posted: 12 May 2006 at 11:04am
The reason was that I was trying to reproduce the original error. I've no idea how the quotation marks got into the Topic title. I'm guessing that the original poster put them in before I had upgraded to the latest version. At some point in your development cycle (V6?) the input was not converted properly.
---
I just checked by entering a thread topic with quotation marks.
Via the application form (not the mdb table editor) I entered
This is "for" Borg
The resulting databse entry is:
This is "for" Borg
So, it appears to be working.
The problem appears to be: in an old version of the software (which I was using up until V8RC1 came out) the quotation marks did not get converted to HTML encoded format.
Apparently at some point you switched from actually using the correct data (" mark) to another approach (HTML encoded) method to storing data.
----
On a related note, why is one of the field entries in the topic table have a value of:
Custom Forms: Phase 1
Instead of:
Custom Forms: Phase 1
?
|
Posted By: WebWiz-Bruce
Date Posted: 12 May 2006 at 11:28am
Version 6 didn't have the same level of security as version 7 and version 8 has, and didn't encode the user input in the same way.
There are a number of words that are HTML encoded to prevent XSS hacks, these are words such as:-
form
onClick
onMouseOver
vbscript
javascript
cookie
script
and a number of others, by HTML encoding characters within these words when displayed in a web browser prevents the web browser from executing these statements as events if manipulated by a hacker to do so, thus preventing XXS hacking.
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: djlurchg
Date Posted: 12 May 2006 at 8:33pm
|
Nice call there borg! I had forgotten about those tricks :)
|
|