Admin-side Input Fields
Posted: Tue Mar 15, 2005 7:33 pm
So I was working on a new content type last night, when I discovered an admin-side bug. The problem is if you enter a content Title or Menu name or something that contains a dangerous HTML character, which in this case probably is only double-quote or > (the latter only in certain browsers). The information gets stored to the database correctly, but when ContentManager::CreateTextInput or similar functions are called, the dangerous characters are not escaped, thus the input terminates early and the HTML is no longer valid.
Fortunately, I'd already written something that would address the problem when I was doing the FeedbackForm stuff. It's a fairly trivial "nerfing" function which I use in my inputs (although it might make sense to migrate it into the ContentManager CreateTextInput and related functions). It basically replaces double-quote, greater-than, and single quote with the HTML entities. Most browsers then handle the input correctly.
Anyway, it's in the pastebin: http://www.cmsmadesimple.org/pastebin/46
Fortunately, I'd already written something that would address the problem when I was doing the FeedbackForm stuff. It's a fairly trivial "nerfing" function which I use in my inputs (although it might make sense to migrate it into the ContentManager CreateTextInput and related functions). It basically replaces double-quote, greater-than, and single quote with the HTML entities. Most browsers then handle the input correctly.
Anyway, it's in the pastebin: http://www.cmsmadesimple.org/pastebin/46