is not used any more and exists only for history. Post new tickets on the Github account. n'est plus utilisée, et existe uniquement pour son historique. Postez les nouveaux tickets sur le compte github.

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#647 closed bug (invalid)

[jForm-Html] Char < and > are parsed in &lt; and &gt; in a <pre> in a form with a textarea + type="html"

Reported by: nuks Owned by:
Priority: low Milestone:
Component: jelix:forms Version: trunk
Severity: normal Keywords:
Cc: Blocked By:
Blocking: Documentation needed: no
Hosting Provider: Php version:


Change History (8)

comment:1 Changed 12 years ago by laurentj

please, explain the problem, and outside the summary. I didn't understand.

comment:2 Changed 12 years ago by nuks

I have a form with a textarea. This textarea have type="html", so, it allow using HTML content. The balises I use with my textarea are not parsed (so, the < and > are not transformed in to &lt; and &gt;). The problem is when I use the character > (to write (not use) a PHP command in my case). I do this in a <PRE> html balise (so it's protected against XSS/CSS). The two first line of the pre are not parsed but the rest of the pre is parsed in to &lt;. Because of the pre, the printed character isn't > but &lt;

Strange, isn't it ? If you don't understand, you can subscribe to my blog and I will allow you to see unpublished articles, you will probably see the problem.

Note : I use wikirender as wiki displayer but this display his done when you read the form's content, and not when you write it in to the bdd.

comment:3 Changed 12 years ago by laurentj

  • Priority changed from normal to low
  • Version changed from 1.0.4 to trunk

The balises I use with my textarea are not parsed (so, the < and > are not transformed in to &lt; and &gt;)

This is the normal behavior, because type="html".

I do this in a <PRE> html balise (so it's protected against XSS/CSS)

I don't see the link between the use of <pre> and the XSS protection :-/. Things you put inside a <pre> are not protected again XSS

Note : I use wikirender as wiki displayer

If you use <textarea type="html">, this is because you want to type html content. So you mustn't use wikirenderer to display the content, because the content is HTML, not wiki.

For me, this bug is invalid because of an incorrect use of <textarea> and wikirenderer. Or perhaps I didn't understand again your problem. If this is the case, please give us a test case to show the problem.

comment:4 Changed 12 years ago by nuks

yeah sorry, I wanted to say xmp instead of pre...

The problem is I have a >/< character without balise, and it is parsed into &gt;/&lt;. Here, all is ok. The bug is that &gt;/&lt; are parsed in to a <pre>/<xmp> balise too. These balise render &gt;/&lt; instead of >/<.

Wikirenderer render a html format, so if i don't set the type="html", all the <|> will be parsed and my render will just print html balise. I'm probably false, please say me what to do. I asked before on IRC and somebody told me to do this.

Here is a screenshot: If you think i'm false you can close the ticket.

comment:5 Changed 12 years ago by bastnic

Trop fatigué pour parler anglais..

Donc, Je viens de me faire un petit usercase :

  `id` int(11) NOT NULL auto_increment,
  `txt` text collate utf8_unicode_ci NOT NULL,
  PRIMARY KEY  (`id`)

Je créé un daocrud, je modifie le xml pour avoir un type html

<?xml version="1.0" encoding="utf-8"?>
<forms xmlns="">

<textarea ref="txt" required="true" type="html">

<submit ref="_submit">

Dans mon crud tout con, je saisis


<?php $this->klmfjfkldsq;
<p>fjkqsmdfk </p>

Et ça me donne :


<?php $this->klmfjfkldsq;
<p>fjkqsmdfk </p>

Donc y a bien un bleme... Contrairement à ce que suggère nuks, c'est pas un pb de wikirender vu que moi je ne m'en suis pas servi.


comment:6 Changed 12 years ago by nuks

Merci :) Le problème ne vient ni de wikirenderer, ni de jForm d'après mes testes. Il ne reste que jDao.

Ma zone: Mon template:

comment:7 Changed 12 years ago by laurentj

  • Resolution set to invalid
  • Status changed from new to closed

@nuks : je persiste quand même à te dire que passer wikirenderer à du contenu issue d'un textarea type="html" reste totalement illogique. wikirenderer s'attend à du contenu wiki, pas du contenu HTML, donc c'est normal que wikirenderer échappe le contenu HTML. Si tu veux un fonctionnement différent, il faut que tu fasses tes propres "rules".

Donc, soit tu utilise textarea type=html sans wikirenderer, soit textarea simple avec wikirenderer. Sinon ça n'a pas de sens.

Et balise n'est pas un mot anglais.

@balise et nuks : ok, je vois le problème. Le contenu type="html" est parsé par un DOM parser, (cf jFilter). Il voit que le > du $this-> ferme la balise <?php , et donc ?> ne fait pas parti d'une balise, donc il echappe le > du ?>. Maintenant, il s'agit d'un textarea type="html", donc tout ce que vous devez y mettre, c'est censé être du HTML valide. On va quand même pas vérifier tous les <pre> pour echapper leur contenu. Surtout que ce n'est pas forcément ce que veut l'auteur puisque dans un <pre> on peut mettre des vraies balises HTML sans vouloir les echapper (un pre, ça contient pas que du code source pour geek, hein ;-) ).

Bref, nuks, si tu veux afficher ce que tu voulais, il faut echapper toi-même le contenu des pre, lors de la saisie :


&lt;?php $this-&gt;klmfjfkldsq;
<p>fjkqsmdfk </p>

Ce bug est donc invalide.

comment:8 Changed 12 years ago by nuks

Ok merci ;) Je vais testé ça. Si j'ai un pb je go sur irc.

Note: See TracTickets for help on using tickets.