Content plugin loads broken form

Hi Hugh, welcome back, I hope you had a fantastic time! :)

Thanks for your suggest fix. I have applied it but unfortunately get the same problem. Looking at the output, it is half resolved but we would need to apply the same strategy to this part as well:

HTML: 
<img src="/media/com_fabrik/images/notempty.png" class="notempty" />
Is there not a way to use str_replace or addslashes on the output? It feels like this may be a more robust way to tackle the problem if the title attribute is dynamic.

Thanks again for all your great work! :)
 
Just a thought, but Felixcat committed a fix to the {plugin} parsing code for things which use {foo}{/foo}, it might be worth while updating to see if that resolves this issue?
 
I have just upgraded to the latest github but it didn't help with this issue. :(

However, I bit the bullet and after spending the morning on it, I have managed to find a fix! :)

I don't fully understand why the problem is occurring because you already have code to prevent this happening. Here is the code which causes the problem from line 1471 in /components/com_fabrik/helpers/html.php:

PHP: 
        $bits = array();
        foreach ($properties as $key => $val)
        {
            if ($key === 'title')
            {
                $val = htmlspecialchars($val, ENT_QUOTES);
            }
            $bits[$key] = $val;
        }
        $p = '';
        foreach ($bits as $key => $val)
        {
            $val = str_replace('"', "'", $val);
            $p .= $key . '="' . $val . '" ';
        }
        return $src == '' ? '' : '<img src="' . $src . '" ' . $p . '/>';

For some reason, the str_replace does not work on the title tag after htmlspecialchars has done its thing. I have no idea why because when using echo or print_r on the variables, I can clearly see the double quotes but for some reason, str_replace cant. In fact, htmlspecialchars doesn't seem to change the string at all (apart from breaking str_replace). I have tried various different htmlspecialchars parameters but they don't seem to make any difference... ???

Anyway, my fix is simple. Do the str_replace on the title before htmlspecialchars gets involved. Here is the working version for me:

PHP: 
        $bits = array();
        foreach ($properties as $key => $val)
        {
            if ($key === 'title')
            {
                $val = str_replace('"', "'", $val);
                $val = htmlspecialchars($val, ENT_QUOTES);
            }
            $bits[$key] = $val;
        }
        $p = '';
        foreach ($bits as $key => $val)
        {
            $val = str_replace('"', "'", $val);
            $p .= $key . '="' . $val . '" ';
        }
        return $src == '' ? '' : '<img src="' . $src . '" ' . $p . '/>';

This fixes the problem for me but is bizarre because the problem only occurred when using the content plugin. For example, here are the outputs from the same form that are generate for me after my change:

Form loaded from content plugin:
HTML: 
<img src="http://www.help-diabetes.org.uk/media/com_fabrik/images/notempty.png" class="fabrikTip fabrikImg" opts="{'position':'top'}" title="<div><ul class='validation-notices' style='list-style:none'><li><img src='http://www.help-diabetes.org.uk/media/com_fabrik/images/notempty.png' class='notempty fabrikImg' />This is a required field</li></ul></div>" />

Form loaded from menu link:
HTML: 
<img src="http://www.help-diabetes.org.uk/media/com_fabrik/images/notempty.png" class="fabrikTip fabrikImg" opts="{'position':'top'}" title="&lt;div&gt;&lt;ul class='validation-notices' style='list-style:none'&gt;&lt;li&gt;&lt;img src='http://www.help-diabetes.org.uk/media/com_fabrik/images/notempty.png' class='notempty fabrikImg' /&gt;This is a required field&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;" />

As you can see, the same htmlspecialchars function is working in one case but not the other. Not only that, but it is preventing str_replace from working on it afterwards.

Crazy! Maybe it is a bug in PHP (we are using v5.3.16).
 
I have done some more research but am no closer to understanding why this is happening. :mad:

However, I have improved the workaround by simply replacing:

PHP: 
$val = htmlspecialchars($val, ENT_QUOTES);
with

PHP: 
$val = str_replace('&', "&amp;", str_replace('"', "&quot;", str_replace("'", "'", str_replace('<', "&lt;", str_replace('>', "&gt;", $val)))));

This now produces exactly the same result as htmlspecialchars.
 
You must log in or register to reply here.

Useful links

  • Create a Fabrik Account (Downloads)
  • Create a Forum Account
  • Fabrik Wiki
  • Fabrik 4 Changelog /Install /Upgrade
    • We are in need of some funding.
    More details.

    Thank you.

    Members online

    No members online now.
    Total: 143 (members: 1, guests: 142)
    Back
    Top