Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check and resolve conflicts with output of encoded characters. Allow tags in title, description and menu fields #15

Open
dimayakovlev opened this issue Jun 9, 2021 · 0 comments
Open

Check and resolve conflicts with output of encoded characters. Allow tags in title, description and menu fields #15

dimayakovlev opened this issue Jun 9, 2021 · 0 comments
Assignees
@dimayakovlev
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@dimayakovlev
Copy link
Owner

User input stored in pages XML files filtered by calling:

filter_var($string, FILTER_SANITIZE_FULL_SPECIAL_CHARS);

  1. On output there is the problem with double encode HTML symbols. To fix this needs to review security, template and theme functions. To preserve problems with output of not filtered or filtered differently strings call one of two:

    • <?php echo filter_var($string, FILTER_SANITIZE_FULL_SPECIAL_CHARS); ?>;
    • <?php echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8', false); ?>;

  2. Since HTML symbols stored encoded and on save applied function xss_clean(), there are no problems with tags in title, description and menu. Encoded symbols '<' and '>' will not be treated as HTML tags and will not broke anything in page but will not limit user with writing content. Anyway on output tags can be removed with function strip_tags().

All those changes needs to be tested well.
@dimayakovlev dimayakovlev added enhancement New feature or request help wanted Extra attention is needed labels Jun 9, 2021
@dimayakovlev dimayakovlev self-assigned this Jun 9, 2021
dimayakovlev added a commit that referenced this issue Jun 11, 2021
@dimayakovlev
Update security_functions.php
ff35712 
Change function var_out() to use filter_var() and add two new options for $filter parameter: default and encoded.
Address gh-15.
dimayakovlev added a commit that referenced this issue Jun 13, 2021
@dimayakovlev
Allow tags in title, meta description and menu
be3baa0 
Address gh-15 and gh-11.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dimayakovlev dimayakovlev

Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dimayakovlev