Re: [Phpsurveyor-developers] The infamous Single-Quote Syndrom

[Carsten S. <car...@gm...>]

Hi!

I am definately for this method

> * add an argument to gT($string, $escapemode = 'html')
>  * this would return the html_escaped version of current gT output

This way it is an optional argument with default to html. That would 
save us alot of work.

Thank you Thibault for working this out.. you are doing great work!

Regards

Carsten



Thibault Le Meur wrote:
> Hi Carsten, David, and others,
>
> I'm still struggling with the Single-Quote issues remaining in PHPSV, they
> are the cause of several bugs:
>  A- Incomplete display in HTML elements (truncated to the first quote)
>  B- No display of some tooltips (as soon as they got a single quote)
>  C- Broken javascripts (DoAdd, DoRemove, ...) when they deal with a
> translated string that contains an unescaped single quote
>  D- SQL bugs when SQL queries are using unescaped values received by _GET or
> _POST. 
>
> Problems A, B and C
> ====================
> They are related to simple quotes in translated strings.
>
> Translated strings must be accessible in differing formats:
> * "html escaped" (see the html_escape function)
>   * At least in HTML Elements' value (could be extended to all HTML outputs)
>   * I have begun adding html_escape to a lot of html outputs in PHPSV, but
> this is becomming difficult to read and maintain and I know I've forgot some
> calls
>
> * "javascript escaped" (see javascript_escape function)
>  * in javascript calls (DoAdd, DoRemove, showTooltips ...)
>  * I have created javascript_escape, but we still have to track where it
> should be called in the code
>  
> * "unescaped" (as they are currently returned by $clang->gT)
>  * in switch/case statements (since they are compared to the _POST / _GET
> values received as unescaped strings)
>
> In order to simplify the code and future developpment I propose (and so did
> David on a previous email) to implement escapment in the language.php
> functions by either:
>
>  * define the following functions: gT_html (for html output), gT_js (for
> javascript output), and gT (for unescaped output)
>
> OR
>
>  * add an argument to gT($string, $escapemode = 'html')
>   * this would return the html_escaped version of current gT output
>
> Advantages of the latest solution:
>   * I could remove any call to html_escape I added (which made the code even
> more difficult to read), and all previously defined calls to $clang->gT will
> automatically be patched to use html_escaped strings
>   * We'll only have to track javascript/tooltip calls using $clang and add
> the $escapemode 'js' parameter
>   * We'll have to track case statements and use the 'unescaped' parameter (I
> can easily script this with bash/grep/sed)
>   
> I need your feedback decision on this in order to continue my investigations
> and debug.
>
>
> Problem D
> =========
>
> Quoting POST and GET variables will be done by a new common db_quote
> function as proposed by Carsten.
> Sql_sanitize function should disapear...
>
> Regards,
> Thibault
>
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> PHPSurveyor-Developers mailing list
> PHP...@li...
> https://lists.sourceforge.net/lists/listinfo/phpsurveyor-developers
>
>