Entity Escaping when Editing the Template

Discussions and requests related to new CMSimple features, plugins, templates etc. and how to develop.
Please don't ask for support at this forums!
Post Reply
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:
Contact cmb

Entity Escaping when Editing the Template

Post by cmb » Tue Mar 05, 2013 10:01 pm

Hello Community,

in the German section a user reported a broken site: http://cmsimpleforum.com/viewtopic.php?f=16&t=5875. Apparently there has been happened the same as in http://cmsimpleforum.com/viewtopic.php? ... t=20#p2882: the template was broken. I had a look at the template (roundmetalblue from cmsimple-styles.com) and found that following part was missing:

Code: Select all

<SCRIPT LANGUAGE="JavaScript">
...
<?php echo preg_replace("/<script.*?SymRealWinOpen.*?script>
What has happened? I'm not exactly sure, but just install the template and go to Settings -> Template. :shock: (remember to convert the template to UTF-8 without BOM before testing in a UTF-8 encoded CMSimple installation)

Apparently a defect of the template, but actually a defect in CMSimple: it doesn't entity escape the template when writing it to the edit textarea in the back-end. One can verify this by looking at the source code, or by using an (X)HTML validator. Probably the stylesheet isn't entity escaped either. I suggest to fix that for the currently maintained branches (1.1, 1.4 and 1.5). For XH 1.6 this is already done.

I'll contact Jens regarding the template.

Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Top
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:
Contact cmb

Re: Entity Escaping when Editing the Template

Post by cmb » Mon Jul 08, 2013 3:12 pm

Hello Community,

proper escaping of the special HTML entities is mandatory, and is probably best done in this case with:

Code: Select all

htmlspecialchars($text, ENT_NOQUOTES, 'UTF-8') 
Unfortunately this results in an empty string, if the template (or resp. other files) contains invalid UTF-8 characters. In this case the textarea stays blank, and when the user nonetheless saves the template, the website is "gone" (no template, no website).

I suggest to check the file for proper UTF-8 encoding, emitting an error message and supressing the save button otherwise.

Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Top
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:
Contact cmb

Re: Entity Escaping when Editing the Template

Post by cmb » Sat Jul 20, 2013 1:46 pm

cmb wrote:I suggest to check the file for proper UTF-8 encoding, emitting an error message and supressing the save button otherwise.
I'm not sure anymore, if that's a reasonable approach. The encoding issue is concerning not only the template, but a lot of other files as well (e.g. stylesheets, config.php, the language files, data files of plugins etc.) PHP 5.4 introduced the option ENT_SUBSTITUTE for htmlspecialchars(), which replaces all non UTF-8 conforming character codes with the Unicode replacement character (U+FFFD, the well known <?>). We could offer a replacement for htmlspecialchars(), say XH_hsc() which does this replacement even for older PHP versions:

Code: Select all

function XH_hsc($string)
{
    if (!defined('ENT_SUBSTITUTE')) {
        include_once UTF8 . '/utils/bad.php';
        $string = utf8_bad_replace($string, "\xEF\xBF\xBD");
        $string = htmlspecialchars($string, ENT_COMPAT, 'UTF-8');
    } else {
        $string = htmlspecialchars($string, ENT_COMPAT | ENT_SUBSTITUTE, 'UTF-8');
    }
    return $string;
} 
Christoph M. Becker – Plugins for CMSimple_XH
Top
Post Reply

Return to “Open Development”