1 Topic by renaud63

  • renaud63
  • Member
  • Offline

Topic: Question about htmLawed

Hi,
I'm trying to user htmLawed to filter my forms and I use this config :

$config = array('safe'=>1,'elements'=>'* object');

Because I want to allow the embed objects from TinyMce.

But my question is :I frequently use this kind of fields :

<input type="text" name="firstname[]" />

But, with my configuration I cannot collect any POST results from these fields. All are stopped by the filters.
How I can allow these [ ] on the field's names ?
Thanking you in advance,
Best Regards.

2 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Question about htmLawed

Hi,

Sorry for the delay in responding. The input example you provide does get processed properly when I try it on the htmLawed test page. Can you check if the problem is not because of something else (may be the strip-slashes issue).

3 Reply by renaud63

  • renaud63
  • Member
  • Offline

Re: Question about htmLawed

Hi, and thanks for your reply.
Yes it's true : all is OK with the test page and this kind of fields...
Then it's my code wich is wrong ?

require("htmLawed.php");
$config = array('safe'=>1,'elements'=>'* object');
$_POST = secure_data($_POST);

function secure_data($data){
global $config;
$tmp = array();
if(is_array($data)){
    foreach($data as $cle=>$val){
        if(!is_array($val)){
            $tmp[$cle] = htmLawed($val, $config); 
        }else{
            secure_data($val);
        }
    }
    return $tmp;
}else{
    return htmLawed($data, $config);
}
}

If I use that, no return value from the fields name="firstname[]" .
My form is very simple, and fields are simple text fields.
I dont see a problem with stripslashes function. My magic_quotes are off.
Do you know why ?
Thanks for your help.

4 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Question about htmLawed

Perhaps the problem is because of 'config' is specified, with a '+' sign missing between '*' and 'object'. Below is how it should be.

$config = array('safe'=>1,'elements'=>'*+object');

Note that by default, htmLawed allows 'object', so specifying 'elements' in 'config' is actually not required.

Edited on 12/24/2011 Since 'safe' is set to '1', '*+object' is needed in 'elements' if 'object' is to be allowed.

5 Reply by renaud63

  • renaud63
  • Member
  • Offline

Re: Question about htmLawed

Hi,

I changed the $config :

$config = array('safe'=>1);

But the problem still here. It's creasy !
If I use the data_secure function, the print_r($_POST) is empty for all the array fields suceh name="name[]"
I don't understand.

6 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Question about htmLawed

Sorry about the wrong suggestion I gave in my earlier post. In your case, since 'safe' is set to '1', '*+object' is needed in 'elements' because you want 'object' to be allowed.

Regardless, I too do not understand why '$_POST' is returning empty. Can you print_r $_POST within data_secure function before htmLawed is called to check if this is because of htmLawed (which I doubt) or something else?

7 Reply by renaud63 (edited by renaud63 2011-12-25 10:37:44)

  • renaud63
  • Member
  • Offline

Re: Question about htmLawed

yes I'm sure. If i uncomment the include htmlLawed with the secure_data function the print_r $_POST gives :

array(
button=>Send
)

If I comment and not include :

array( 
       firstname=>array(
            [0]=>Toto
            [1]=>Tata
        )
button=>Send
)

8 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Question about htmLawed

Perhaps the issue is with the secure_data function. I include your secure_data function code with the following test script

require("htmLawed.php");
$config = array('safe'=>1,'elements'=>'*+object');
print_r($_POST);
$_POST = secure_data($_POST);
print_r($_POST);
echo '<html><head></head><body><div><form method=post>
<input name="x[]" type="text" />
<input type="submit" name="y" />
</form></div></body></html>';

The $_POST array after htmLawed filtering seems to lose the value for input 'x' when the input name is of type 'x[]'. If it is just 'x' and not 'x[]', the value is not lost.

9 Reply by renaud63

  • renaud63
  • Member
  • Offline

Re: Question about htmLawed

The $_POST array after htmLawed filtering seems to lose the value for input 'x' when the input name is of type 'x[]'. If it is just 'x' and not 'x[]', the value is not lost.

Yes true ! And it's the reason of my thread ! Because I need these kinds of fields ('x[]') very often then I cannot secure the datas ?

10 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Question about htmLawed

The thing is that the loss of the input values takes place even if htmLawed is not used. E.g., using this code modification for secure_data function causes the same issue

foreach($data as $cle=>$val){
        if(!is_array($val)){
            #$tmp[$cle] = htmLawed($val, $config);  // not using htmLawed
            $tmp[$cle] = $val; // just assign the original value
        }else{

So the problem does not seem to be related to htmLawed but to secure_data. Also, htmLawed filtering is on input values and not input names.

11 Reply by renaud63

  • renaud63
  • Member
  • Offline

Re: Question about htmLawed

You are true ! It's my function which is wrong ! Sorry ! Many thanks for your help and happy new year !

12 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Question about htmLawed

A Happy 2012 to you too!