View Full Version : & and " for edit reviews.php/edit(FIXED)
September 6th, 2005, 11:31 AM
If you enter say an ampersand or a quote into a review, then edit it, you're shown it in the format:
"test this & this"
Then when saving back it's changed into "&amp;" etc etc.
September 6th, 2005, 01:48 PM
well no one I know of would ever enter something like this. Any script I know of automatically will translate & to &
I would not call this a bug since our program translated the code when entering to the database & to the proper & and then grabbing from the database the code is then processed back into html so you purposely entering the code as already translated will result in what your getting. We properly convert & to & so your display would be correct given your situation
I hope I understand what you mean here as it sounds to me like your trying to enter something already translated.
September 6th, 2005, 05:34 PM
I think I know what you mean and yes this would be correct as allowing it to be redone into html could render you to XSS cross scripting attacks.
I think this would be the way to go in reviews.php add the line in bold which just translates quotes and thats all
if ( VB35 == "on" ) $ereviews = htmlspecialchars($ereviews);
else $ereviews = htmlspecialchars(convert_markups($ereviews));
$ereviews = str_replace( "\"", """, $ereviews);
September 8th, 2005, 11:09 AM
The problem is that if a user enters an ampersand in a review e.g. "this & that", submit their review and then click "edit" they are presented with "this & that" in the edit box, and when they click submit again it becomes "this &amp; that".
The problem is when they click edit it's not properly reverse parsing special characters like "& and /" etc. I think quotes are affected too.
September 8th, 2005, 02:04 PM
In reviews.php change htmlspecialchars to un_htmlspecialchars
if ( VB35 == "on" ) $ereviews = un_htmlspecialchars($ereviews);
else $ereviews = un_htmlspecialchars(convert_markups($ereviews));
vBulletin® v3.8.1, Copyright ©2000-2014, Jelsoft Enterprises Ltd.