1

Topic: I can't get Htmlawed working with forms

I'm trying to get my Htmlawed script work with a posted form, no luck so far.

The test script below (without any posted form) is working..as it outputs: alert('hi');123

$text="<script>alert('hi');</script>123";
$processed = htmLawed($text, array('safe'=>1, 'deny_attribute'=>'style')); 
echo $processed;

When I submit the same text (<script>alert('hi');</script>123) through a form it fails, it just outputs the same <script>alert('hi');</script>123. This is the coding I'm using:

    $ps1 =  trim(stripslashes($_POST['message']));
    $posting= htmLawed($ps1, array('safe'=>1, 'deny_attribute'=>'style'));
    echo $posting;

Has anyone got a clue what I'm doing wrong here ?

2

Re: I can't get Htmlawed working with forms

The stripslashes function removes backslash characters from strings – example\'example\\ becomes example'example\

The backslash character is automatically added before backslash and single/double quote characters in a form's GET/POST variable values by PHP if the PHP setup's magic_quotes_gpc value is set to true.

May be it is not so in your case; i.e., may be stripslashes should not be in the code – see this post.

3 (edited by internethero 2016-12-20 07:46:52)

Re: I can't get Htmlawed working with forms

I've removed the stripslashes, but I've still got the same problem.
When I give

script>alert('hi');</script>123

as input at the form field, htmLawed outputs the same.. thus

script>alert('hi');</script>123

This is the my coding currently:

    //$ps1 =  trim(stripslashes($_POST['message']));
    $posting= htmLawed($_POST['message'], array('safe'=>1, 'deny_attribute'=>'style'));
    echo $posting;

4

Re: I can't get Htmlawed working with forms

I am not sure why you are seeing the odd result. I am unable to replicate the issue on my system. I suspect it is a minor point that you are missing which is causing the issue. You can try my test code.

<?php
// this code is in file test.php; browse to "... /test.php"
include('./htmLawed.php');

echo '<u>Non-form example input</u><br /><br />';
$text = "<script>alert('hi');</script>123";
echo 'INPUT: ', htmlspecialchars($text), '<br /><br />';
echo 'OUTPUT: ', htmlspecialchars(htmLawed($text, array('safe'=>1, 'deny_attribute'=>'style'))), '<br /><br />';

echo '<u>Form input</u><br /><br />';
$text = isset($_POST['input']) ? $_POST['input']: '';
echo '<form method="post">INPUT: <input type="text" name="input" value="', htmlspecialchars($text), '" size="60" /></form><br />';
echo 'OUTPUT: ', htmlspecialchars(htmLawed($text, array('safe'=>1, 'deny_attribute'=>'style'))), '<br />';

5

Re: I can't get Htmlawed working with forms

Your script is working patnaik

I've done some testing, and it seems the problem only occures when I'm using a wysiwyg field within the html form.  I've tried two different wysiwyg editors, but in both cases htmLawed didn't work when a wysiwyg field was submitted.

This is my test code with a wysiwyg editor (jqueryte, which can be found on jqueryte.com):

<script src="http://ajax.googleapis.com/ajax/libs/jquery/3.1.0/jquery.min.js"></script>
<script src="/wysiwyg/jquery-te.min.js"></script>
<link rel="stylesheet" href="/wysiwyg/jquery-te.css">
<script>
jQuery(document).ready(function($) {

  $("#message").jqte();
  $("#message").jqteVal("");
  });
  </script>

<form id="qform" name="qform" method="post" action="qanswer.php"  enctype="multipart/form-data">
<textarea id="message" name="message"></textarea>
<input type='submit' value='Submit form' id="send" name="send"/>
</form>

when I fill in

<script>alert('hi');</script>123

in the wysiwyg textarea and submit the form, my php code

    $posting= htmLawed($_POST['message'], array('safe'=>1, 'deny_attribute'=>'style'));
    echo $posting;

returns

<script>alert('hi');</script>123

so here it fails.


When I submit an other form without wysiwyg, like:

<form id="qform" name="qform" method="post" action="qanswer.php"  enctype="multipart/form-data">
<textarea id="message" name="message"></textarea>

<input type='submit' value='Submit form' id="send" name="send"/>
</form>

this returns

alert('hi');

so here htmLawed works perfectly.

I can't figure out why the wysiwyg editors give these problems. I hope you can help
me out, as I need this htmleditor on my website.

6

Re: I can't get Htmlawed working with forms

I believe this is happening because the text editor is auto-converting "<" and ">" characters in input in the textarea to HTML entities ("&lt;", "&gt;"). That is, the dangerous text is getting neutralized and htmLawed does not find any HTML tag in it. You can see this if you were to use htmlspecialchars() function to display the raw and not the rendered version of the text editor form input/output. Example code:

echo '<u>Editor input</u><br /><br />';
$posting = isset($_POST['message']) ? $_POST['message']: '';
echo 'INPUT: ', htmlspecialchars($posting), '<br /><br />';
echo 'OUTPUT: ', htmlspecialchars(htmLawed($posting, array('safe'=>1, 'deny_attribute'=>'style'))), '<br /><br />';

If you click the "</>" button of the HTML editor, then you can put in text such that it won't be auto-converted by the text editor. You will see then that htmLawed works as expected.

7

Re: I can't get Htmlawed working with forms

You are right, this solved my 'problem'.. Thank you so much patnaik, I really appreciate it.
Merry Christmas to you and your family !

8

Re: I can't get Htmlawed working with forms

Merry Christmas and a Happy 2017!