Hi,
On AccountGroups.php, in line 320 we have:
<td>' . htmlspecialchars($myrow['groupname'], ENT_QUOTES,'UTF-8') . '</td>
but in lines 321 and 324 we have:
<td>' . $myrow['sectionname'] . '</td>
...
<td>' . $myrow['parentgroupname'] . '</td>
The htmlspecialchars() function converts some predefined characters to HTML
entities [ & (ampersand) becomes & " (double quote) becomes " '
(single quote) becomes ' < (less than) becomes < > (greater than)
becomes > ].
My questions:
1. Is there any reason to use it in account-goup-name, but not in
account-section-name nor in account-parent-group-name ?
2. How often do you find these characters (ampersand, double quote, single
quote, less than, greater than) in those names ?
My proposal: if these characters (ampersand, double quote, single quote,
less than, greater than) are very-very-low frequent in those names, we can:
a) Declare these characters as "invalid" and filter them in the
"input-procedure" (procedure used infrequently) and
eliminate the use of the htmlspecialchars() function in the
"display-procedure" (procedure used frequently). Or,
b) Convert/Unconvert these characters to store them as "HTML entities" in
the database in the "input-procedure" (procedure used infrequently) and
eliminate the use of the htmlspecialchars() function in the
"display-procedure" (procedure used frequently) by using data "as-is" in
the database.
Technical comments, opinions, suggestions?
Best regards, Rafael.
|
