& and " for edit reviews.php/edit(FIXED)

[Arnie]

If you enter say an ampersand or a quote into a review, then edit it, you're shown it in the format:

"test this & this"

Then when saving back it's changed into "&" etc etc.

[Chuck S]

well no one I know of would ever enter something like this. Any script I know of automatically will translate & to &

I would not call this a bug since our program translated the code when entering to the database & to the proper & and then grabbing from the database the code is then processed back into html so you purposely entering the code as already translated will result in what your getting. We properly convert & to & so your display would be correct given your situation

I hope I understand what you mean here as it sounds to me like your trying to enter something already translated.

[Chuck S]

I think I know what you mean and yes this would be correct as allowing it to be redone into html could render you to XSS cross scripting attacks.

I think this would be the way to go in reviews.php add the line in bold which just translates quotes and thats all


if ( VB35 == "on" ) $ereviews = htmlspecialchars($ereviews);
else $ereviews = htmlspecialchars(convert_markups($ereviews));

$ereviews = str_replace( "\"", """, $ereviews);

[Arnie]

The problem is that if a user enters an ampersand in a review e.g. "this & that", submit their review and then click "edit" they are presented with "this & that" in the edit box, and when they click submit again it becomes "this & that".

The problem is when they click edit it's not properly reverse parsing special characters like "& and /" etc. I think quotes are affected too.

[Chuck S]

In reviews.php change htmlspecialchars to un_htmlspecialchars

if ( VB35 == "on" ) $ereviews = un_htmlspecialchars($ereviews);
else $ereviews = un_htmlspecialchars(convert_markups($ereviews));