3.1 HTML Settings(FIXED) - Page 2

WB · October 7th, 2005, 03:04 PM

omegatron:

To make sure we had all the changes (versus the one change we manually made yesterday), I uploaded all of the main level *.php files from the build I just downloaded.

Now we are having the reverse problem.

HTML works as expected in reviews and doesn't get executed since html in reviews is set to off.

In the products though, where html is set to yes, our html javascript and iframes don't get executed/shown properly now.

Are the changes now preventing those from being evaluated when HTML is set to on (for products in our case)?

We are seeing our 'alternate' message for browser's that don't support iframes.

If I revert back to the prior files, all appears correctly.

I suspect that the changes to un_htmlspecialchars may be interfering now even when HTML is set to yes.

Chuck S · October 7th, 2005, 05:33 PM

Okay not a bug my friend. I don't know of any script that would purposely allow javascript tags as this is the number one way to inject bad code but if you want to allow them then make this small change but this is not something I would be putting in reviewpost. Add the part in bold

Code:

Content visible to verified customers only.

WB · October 7th, 2005, 07:41 PM

Thanks.

In our case we are the only ones who add products and we have HTML off for the reviews so that helps to mitigate the risk (I realize about the injection of bad code since I was the one who pointed out the whole issue in the prior 3.x builds before the switches were added).

Mark Goldstein · October 9th, 2005, 06:09 AM

So I need to re-upload all of the main level *.php files? (except for config.php)

WB · October 9th, 2005, 07:51 AM

Mark:

Yes, that's what we did. We uploaded all of the main level php files with the exception of the config files (and also didn't upload install.php and upgrade.php).

We also made the function un_htmlspecialchars edit (in pp-inc) above to allow the script tag (and another to allow the iframe tag since we use that too) in our products (to "<script><iframe><b><table>.....).

I think our setup is similar to yours in that we are the only ones who post products but we want HTML off in the reviews since users can post those.

Hope this helps.

Have a good weekend.

Mark Goldstein · October 9th, 2005, 09:25 AM

OK, thank WB, that seems to have fixed the HTML problem.