[solved] entities problem

Talk about writing modules and plugins for CMS Made Simple, or about specific core functionality. This board is for PHP programmers that are contributing to CMSMS not for site developers
Post Reply
piotrekkr
Forum Members
Forum Members
Posts: 38
Joined: Mon Mar 05, 2007 5:30 pm

[solved] entities problem

Post by piotrekkr »

Hi, I have problem with textareas and maby with CMS. I have form with textarea and i post data like this:

Code: Select all

ąśćł!!!!!
then I post data ,show it by var_dump($params) and insert posted data back in form textarea. and i get something like that:
in source code by var_dump():

Code: Select all

["abaut"]=>
  string(33) "ąśćł!!!!!"
in source code in textarea:

Code: Select all

ąśćł!!!!!
in textarea on page:

Code: Select all

ąśćł!!!!!
It should be

Code: Select all

ąśćł!!!!!
on page. My question is why CMSMS make entities of params after sending them to module? It apears that CreateTextarea() make entities automaticaly. So entities are made two times. How to turn off automatic entities in params? Or isn't it cmsms which doing this? Could it be my new hosting server? I use cmsms version 1.3.1 . Thank you for help. :)

PS. Sorry for my poor english.
Last edited by piotrekkr on Sat Jul 19, 2008 2:04 pm, edited 1 time in total.
Top
piotrekkr
Forum Members
Forum Members
Posts: 38
Joined: Mon Mar 05, 2007 5:30 pm

Re: entities problem

Post by piotrekkr »

I looked into cms core and it looks like there is function cms_htmlentities() that entities characters.

Code: Select all

/**
 * Enter description here...
 *
 * @param unknown $val
 * @param integer $quote_style
 * @return unknown
 * 
 * $quote_style may be one of:
 *     ENT_COMPAT   : Will convert double-quotes and leave single-quotes alone. 
 *     ENT_QUOTES   : Will convert both double and single quotes. 
 *     ENT_NOQUOTES : Will leave both double and single quotes unconverted. 
 */
function my_htmlentities($val)
{
	if ($val == "")
	{
		return "";
	}
	$val = str_replace( " ", " ", $val ); 

	//Remove sneaky spaces 
	// $val = str_replace( chr(0xCA), "", $val );   

	$val = str_replace( "&"            , "&"         , $val ); 
	$val = str_replace( "<!--"         , "<!--"  , $val ); 
	$val = str_replace( "-->"          , "-->"       , $val ); 
	$val = preg_replace( "/<__script__/i"  , "<__script__"   , $val ); 
	$val = str_replace( ">"            , ">"          , $val ); 
	$val = str_replace( "<"            , "<"          , $val ); 
	
	
	$val = str_replace( "\""           , """        , $val ); 

	// Uncomment it if you need to convert literal newlines 
	//$val = preg_replace( "/\n/"        , "<br>"          , $val ); 

	$val = preg_replace( "/\\$/"      , "$"        , $val ); 

	// Uncomment it if you need to remove literal carriage returns 
	//$val = preg_replace( "/\r/"        , ""              , $val ); 

	$val = str_replace( "!"            , "!"         , $val ); 
	$val = str_replace( "'"            , "'"         , $val ); 
	 
	// Uncomment if you need to convert unicode chars 
	//$val = preg_replace("/&#([0-9]+);/s", "&#\1;", $val ); 

	// Strip slashes if not already done so. 

	//if ( get_magic_quotes_gpc() ) 
	//{ 
	//	$val = stripslashes($val); 
	//} 

	// Swop user inputted backslashes 

	//$val = preg_replace( "/\(?!&#|?#)/", "\", $val );

	return $val;
}
But i still don't know why this function is used on every param just after sending them by form?? How to turn off feature that uses this function on every param I send?? Plz help

//edit:
Ok I fought it might be problem with my webhosting but I run copy of cmsms on my localhost and it didn't resolve my problem. Anybody knows how to fix this???? Please help
Last edited by piotrekkr on Fri Jul 18, 2008 6:41 pm, edited 1 time in total.
Top
piotrekkr
Forum Members
Forum Members
Posts: 38
Joined: Mon Mar 05, 2007 5:30 pm

Re: entities problem

Post by piotrekkr »

Ok I found it after hours of searching and tests... Problem was in DoBaseAction() function.

Code: Select all

function DoActionBase($name, $id, $params, $returnid='')
	{
	  
	  if( $returnid != '' )
	    {
	      if( !$this->restrict_unknown_params && 
		  get_site_preference('allowparamcheckwarnings',0))
		{
		  trigger_error('WARNING: '.$this->GetName().' is not properly cleaning input params.',E_USER_WARNING);
		}
	      // used to try to avert XSS flaws, this will
	      // clean as many parameters as possible according
	      // to a map specified with the SetParameterType metods.
	      $params = cleanParamHash($params,$this->param_map,
				       !$this->restrict_unknown_params);
	    }
.......

}
Problem was in

Code: Select all

$params = cleanParamHash($params,$this->param_map,
				       !$this->restrict_unknown_params);
code of cleanParamHash() function:

Code: Select all

/**
 * Method to sanitize all entries in 
 * a hash
 *
*/
define('CLEAN_INT','CLEAN_INT');
define('CLEAN_FLOAT','CLEAN_FLOAT');
define('CLEAN_NONE','CLEAN_NONE');
define('CLEAN_STRING','CLEAN_STRING');
define('CLEAN_REGEXP','regexp:');
define('CLEAN_FILE','CLEAN_FILE');
function cleanParamHash($data,$map = false,
						$allow_unknown = false,$clean_keys = true)
{
  $mappedcount = 0;
  $result = array();
  foreach( $data as $key => $value )
	{
	  $mapped = false;
	  $paramtype = '';
	  if( is_array($map) )
		{
		  if( isset($map[$key]) )
			{
				$paramtype = $map[$key];
			}
		  else {
			  // Key not found in the map
			  // see if one matches via regular expressions
			  foreach( $map as $mk => $mv ) {
				  if(strstr($mk,CLEAN_REGEXP) === FALSE) continue;

				  // mk is a regular expression
				  $ss = substr($mk,strlen(CLEAN_REGEXP));
				  if( $ss !== FALSE ) {
					  if( preg_match($ss, $key) ) {
						  // it matches, we now know what type to use
						  $paramtype = $mv;
						  break;
					  }
				  }
			  }
		  } // else

		  if( $paramtype != '' ) {
			  switch( $paramtype ) {
			  case 'CLEAN_INT':
				  $mappedcount++;
				  $mapped = true;
				  $value = (int) $value;
				  break;
			  case 'CLEAN_FLOAT':
				  $mappedcount++;
				  $mapped = true;
				  $value = (float) $value;
				  break;
			  case 'CLEAN_NONE':
				  // pass through without cleaning.
				  $mappedcount++;
				  $mapped = true;
				  break;
			  case 'CLEAN_STRING':
				  $value = cms_htmlentities($value);
				  $mappedcount++;
				  $mapped = true;
				  break;
			  case 'CLEAN_FILE':
				  $value = cms_cleanfile($value);
				  $mappedcount++;
				  $mapped = true;
				  break;
			  default:
				  $mappedcount++;
				  $mapped = true;
				  $value = cms_htmlentities($value);
				  break;
			  } // switch
		  } // if $paramtype
			  
		}

	  // we didn't clean this yet
	  if( $allow_unknown && !$mapped )
		{
		  // but we're allowing unknown stuff so we'll just clean it.
		  $value = cms_htmlentities($value);
		  $mappedcount++;
		  $mapped = true;
		}

	  if( $clean_keys )
		{
		  $key = cms_htmlentities($key);
		}

	  if( !$mapped && !$allow_unknown )
		{
		  trigger_error('Parameter '.$key.' is not known... dropped',E_USER_WARNING);
		  continue;
		}
	  $result[$key]=$value;
	}
  return $result;
}
cms_htmlentities() uses my_entities() function to entoty some characters.
As I understand  cleanParamHash() function should protect for XSS atack but it realy iritated me   >:( I think that everyone should protect himself his scripts and it shouldn't be imposed by core... If it is already in core there should be way to turn this feature on/off in config file. Maby there is option that turn this off but i couldn't find it...
I turn this off by commenting lines:

Code: Select all

// $params = cleanParamHash($params,$this->param_map,
//				       !$this->restrict_unknown_params);
thanks for interest (above 80 views...) in this topic.
Top
Post Reply

Return to “Developers Discussion”