[Phpsurveyor-developers] The infamous Single-Quote Syndrom
The leading Open Source survey tool
Brought to you by:
c_schmitz
From: Thibault Le M. <Thi...@su...> - 2007-02-13 16:14:00
|
Hi Carsten, David, and others, I'm still struggling with the Single-Quote issues remaining in PHPSV, = they are the cause of several bugs: A- Incomplete display in HTML elements (truncated to the first quote) B- No display of some tooltips (as soon as they got a single quote) C- Broken javascripts (DoAdd, DoRemove, ...) when they deal with a translated string that contains an unescaped single quote D- SQL bugs when SQL queries are using unescaped values received by = _GET or _POST.=20 Problems A, B and C =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D They are related to simple quotes in translated strings. Translated strings must be accessible in differing formats: * "html escaped" (see the html_escape function) * At least in HTML Elements' value (could be extended to all HTML = outputs) * I have begun adding html_escape to a lot of html outputs in PHPSV, = but this is becomming difficult to read and maintain and I know I've forgot = some calls * "javascript escaped" (see javascript_escape function) * in javascript calls (DoAdd, DoRemove, showTooltips ...) * I have created javascript_escape, but we still have to track where it should be called in the code =20 * "unescaped" (as they are currently returned by $clang->gT) * in switch/case statements (since they are compared to the _POST / = _GET values received as unescaped strings) In order to simplify the code and future developpment I propose (and so = did David on a previous email) to implement escapment in the language.php functions by either: * define the following functions: gT_html (for html output), gT_js (for javascript output), and gT (for unescaped output) OR * add an argument to gT($string, $escapemode =3D 'html') * this would return the html_escaped version of current gT output Advantages of the latest solution: * I could remove any call to html_escape I added (which made the code = even more difficult to read), and all previously defined calls to $clang->gT = will automatically be patched to use html_escaped strings * We'll only have to track javascript/tooltip calls using $clang and = add the $escapemode 'js' parameter * We'll have to track case statements and use the 'unescaped' = parameter (I can easily script this with bash/grep/sed) =20 I need your feedback decision on this in order to continue my = investigations and debug. Problem D =3D=3D=3D=3D=3D=3D=3D=3D=3D Quoting POST and GET variables will be done by a new common db_quote function as proposed by Carsten. Sql_sanitize function should disapear... Regards, Thibault |