1 of 2
1
Safecracker submission html code issue
Posted: 13 January 2011 11:12 PM   [ Ignore ]
Wallflower
Rank
Total Posts:  9
Joined  2011-01-11

Hello,

I have been working on implementing safecracker on my site and have run into an issue when trying to save or edit a field that includes some specific html entities. Namely <, >, or &.

It is converting the html characters to their corresponding code. 

Example:

is being changed to "& l t ;"   <-- without the spaces or quotes 
is being changed to '& g t ;' <-- without the spaces or quotes 

I have looked all through this forum but have not found anything on this issue.

The form saves the data, but it is saving it with the characters changed.  How can I have the characters not altered when the safecracker form is submitted?

When I save or re-edit the entry from inside the EE control panel, all works correctly.  With the html characters remaining in the correct format.

As an example.  If I am trying to save a field containing

<object width="640" height="481"

from a safecracker form, it is being saved as

"& l t ;"object height="468" width="640""& g t ;" 

  Once again the above doesn’t include the spaces or quotes (so I can show the characters to you).  However, it saves correctly if I edit the entry directly from inside EE.

Any assistance would be appreciated.

Thanks,
Mark

Profile
 
 
Posted: 13 January 2011 11:49 PM   [ Ignore ]   [ # 1 ]
Teen Scream
Avatar
RankRankRank
Total Posts:  3541
Joined  2009-05-29

Which type of field is in question? And to confirm: if you do the same thing in the CP it saves properly?

Profile
 
 
Posted: 13 January 2011 11:56 PM   [ Ignore ]   [ # 2 ]
Wallflower
Rank
Total Posts:  9
Joined  2011-01-11

I’ve tried a normal textarea field and a text field inside matrix 2.

And yes you are correct that if I do the same thing in the CP it saves properly.

Profile
 
 
Posted: 14 January 2011 12:00 AM   [ Ignore ]   [ # 3 ]
Wallflower
Rank
Total Posts:  9
Joined  2011-01-11

Oh, and if you need it, I’m running the latest version of EE - Version: 2.1.3 - Build: 20101220

I also have:
The latest version of safecracker: 1.0.2
The latest version of Matrix - 2.1.2
The latest version of Wygwam - 2.1.7

Profile
 
 
Posted: 14 January 2011 12:00 AM   [ Ignore ]   [ # 4 ]
Teen Scream
Avatar
RankRankRank
Total Posts:  3541
Joined  2009-05-29

I’ll do some tests and get back to you.

Profile
 
 
Posted: 14 January 2011 12:13 AM   [ Ignore ]   [ # 5 ]
Teen Scream
Avatar
RankRankRank
Total Posts:  3541
Joined  2009-05-29

One more question: what field format do you have selected for that field?

Profile
 
 
Posted: 14 January 2011 12:18 AM   [ Ignore ]   [ # 6 ]
Wallflower
Rank
Total Posts:  9
Joined  2011-01-11

I don’t know what you mean by field format.  Do you mean field type?  I have it currently set on textarea, but have also tried matrix with a cell type of text.

Profile
 
 
Posted: 14 January 2011 12:19 AM   [ Ignore ]   [ # 7 ]
Teen Scream
Avatar
RankRankRank
Total Posts:  3541
Joined  2009-05-29

If you go to the field settings page for that field, see the attached screenshot:

Profile
 
 
Posted: 14 January 2011 12:23 AM   [ Ignore ]   [ # 8 ]
Wallflower
Rank
Total Posts:  9
Joined  2011-01-11

Oh yes, I have that set to “none”.

Profile
 
 
Posted: 14 January 2011 01:06 AM   [ Ignore ]   [ # 9 ]
Teen Scream
Avatar
RankRankRank
Total Posts:  3541
Joined  2009-05-29

OK, it seems to be a problem with CodeIgniter’s native xss filtering, which doesn’t like object elements, among some others. I don’t have a solution for you yet, but I will continue researching this. Please check back in a few days if you don’t hear anything from me.

Profile
 
 
Posted: 14 January 2011 01:11 AM   [ Ignore ]   [ # 10 ]
Wallflower
Rank
Total Posts:  9
Joined  2011-01-11

I definitely will check back. I wasn’t sure if it was related to safecracker or not as it happens with the safecracker form but works fine from inside the CP.

Thanks a lot for your help on this.

Profile
 
 
Posted: 17 January 2011 12:17 AM   [ Ignore ]   [ # 11 ]
Wallflower
Rank
Total Posts:  9
Joined  2011-01-11

Hi Rob,

You mentioned to check back and see if you have located any potential solutions for this issue. 
Have you had any luck?

Profile
 
 
Posted: 20 January 2011 02:23 PM   [ Ignore ]   [ # 12 ]
Wallflower
Rank
Total Posts:  9
Joined  2011-01-11

Hi Rob,

I’m assuming you haven’t as there has been no response, but have you had a chance to look any further into this issue?

Profile
 
 
Posted: 21 January 2011 12:00 AM   [ Ignore ]   [ # 13 ]
Absolute Heartthrob!
Avatar
RankRankRankRankRank
Total Posts:  10369
Joined  2008-09-29

Rob is currently at the Hospital… his wife just went into labor. I don’t know if he found anything specific. After he last posted was a weekend and the MLK Monday holiday, so I don’t know that he’s had enough time to sort it out… but I’ll forward this to him and see if he’s gotten anywhere. My guess is… this one’s a bit complicated, so I’d doubt there’s a workaround yet.

 Signature 
Profile
 
 
Posted: 21 January 2011 02:20 AM   [ Ignore ]   [ # 14 ]
Wallflower
Rank
Total Posts:  9
Joined  2011-01-11

First off, congratulations to Rob!  I hope everything went well.

Thanks for the update, I wasn’t aware of the holiday on Monday and didn’t think about the weekend posting.  I was just hoping to get this all figured out.

I’ll check back later.

Profile
 
 
Posted: 02 February 2011 03:19 AM   [ Ignore ]   [ # 15 ]
Teen Scream
Avatar
RankRankRank
Total Posts:  3541
Joined  2009-05-29

Hi irecess, I researched this and found that there’s no solution other than either hacking the EE core or hacking the SafeCracker core. I am not comfortable removing the XSS filtering from our procedure, since SafeCracker forms are on the front-end. In the CP, this filtering is not done, which is why this is not a issue there. If you are interested in more info I can tell you which lines of code to change (in either EE or SafeCracker) to make this work.

Profile
 
 
   
1 of 2
1