Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: Problems with quotes in title of article  (Read 8414 times)

ruud

  • Newbie
  • *
  • Karma: 0
  • Posts: 9
Problems with quotes in title of article
« on: December 14, 2006, 03:28:45 PM »

There is some unexpected behaviour when entering an article title including single or double quotes in v1.5.

1. When you use single quotes around a word, these are automatically stripped. However, when you add two single quotes directly after each other, these are preserved. So 'text' becomes text but if you enter ''text'' [double single quotes], the title becomes 'text' and the quotes are preserved when the article is edited.

2. When using double quotes, the title is preserved when saved the first time. However, when the article is edited, the title field is empty.

These problems do not occur in the Text field, so I assume they are easily fixed.
Logged

Mika

  • Hero Member
  • *****
  • Karma: 9
  • Posts: 1377
    • http://www.ni5ni6.com/
Problems with quotes in title of article
« Reply #1 on: December 15, 2006, 08:43:19 AM »

There's a variable
Quote
$title = str_replace("\'", "& #39;", $_POST['title']);
in function processing() inside snews.php.
Try this:
Quote
# remove string replacement
$title = $_POST['title'];
# or add magic_quotes checking routine to it
$title = !get_magic_quotes_gpc() ? addslashes($_POST['title']) : $_POST['title'];
Logged
http://www.ni5ni6.com/ - Tutorials, Mods and How-To's about sNews CMS
sNews 1.6 Developers Edition - commented sNews 1.6 version

ruud

  • Newbie
  • *
  • Karma: 0
  • Posts: 9
Problems with quotes in title of article
« Reply #2 on: December 20, 2006, 09:41:24 AM »

Hallo Mika,

thanks for your input! But this provides only half of the solution I'm afraid, because titles with quotes still are not displayed when the article is edited. If you don't pay attention and focus on the text, you will end up with an error message because you submit an article with an empty title.

I have hacked the code to circumvent this problem, but I suppose it would be preferable if all forms are checked for this problem. I noticed for instance that double quotes are escaped in the text of an article. This means that between POSTs and SUBMITs you have to strip/add quotes, otherwise people may end up with texts like if they are editing articles multiple times:

This article contains a word between \\\\"quotes\\\\"

OK, so my hack is to change line 1142:

Code: [Select]
html_input('text', 'title', 'at', $frm_title, l('title'), '', 'onchange="genSEF(this,document.forms[\'post\'].seftitle)"', 'onkeyup="genSEF(this,document.forms[\'post\'].seftitle)"', '', '', '', '', '', '', '');to:

Code: [Select]
html_input('text', 'title', 'at', str_replace('"', '"', $frm_title), l('title'), '', 'onchange="genSEF(this,document.forms[\'post\'].seftitle)"', 'onkeyup="genSEF(this,document.forms[\'post\'].seftitle)"', '', '', '', '', '', '', '');Regards,

Ruud
Logged

piXelatedEmpire

  • MIA
  • ULTIMATE member
  • ******
  • Karma: 37
  • Posts: 1401
  • currently MIA
Problems with quotes in title of article
« Reply #3 on: January 09, 2007, 04:14:06 AM »

Quote from: ruud
But this provides only half of the solution I'm afraid, because titles with quotes still are not displayed when the article is edited. If you don't pay attention and focus on the text, you will end up with an error message because you submit an article with an empty title.
This bug has been confirmed.  If you have an article title with quotes in it, then you click the edit button in admin panel to edit the article, the title field of the article is completely deleted (ie blank).  You then must re-enter the article title each time it is edited.

Quote from: ruud
I have hacked the code to circumvent this problem, but I suppose it would be preferable if all forms are checked for this problem. I noticed for instance that double quotes are escaped in the text of an article. This means that between POSTs and SUBMITs you have to strip/add quotes, otherwise people may end up with texts like if they are editing articles multiple times:

This article contains a word between \\\\"quotes\\\\"

OK, so my hack is to change line 1142:

Code: [Select]
html_input('text', 'title', 'at', $frm_title, l('title'), '', 'onchange="genSEF(this,document.forms[\'post\'].seftitle)"', 'onkeyup="genSEF(this,document.forms[\'post\'].seftitle)"', '', '', '', '', '', '', '');to:

Code: [Select]
html_input('text', 'title', 'at', str_replace('"', '"', $frm_title), l('title'), '', 'onchange="genSEF(this,document.forms[\'post\'].seftitle)"', 'onkeyup="genSEF(this,document.forms[\'post\'].seftitle)"', '', '', '', '', '', '', '');Regards,

Ruud
I shall test this 'hack' and see if this circumvents the problem.
Mika or Luka, any ideas, or is ruud's 'hack' an acceptable fix?
Logged
my apologies to the sNews crew, but I will be MIA for the forseeable future

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Problems with quotes in title of article
« Reply #4 on: February 21, 2007, 01:18:37 PM »

NOTE. For some reason, even article or comment text using punctuation... for eg.... don't throws a spanner in the works.. I have implemented mika's !get_magic_quotes_gpc on title, text, and comment in processing, and it appears to now work consistently.

Previously, I could create a new article, but then NO edits would stick. I switched error reporting to all, thinking that maybe I would get a clue.

It is odd, because I had issues on sub-dom db, but not on main-dom db, thought it was host issue. There may well have been some changes they made that brought this to light. both doms were using identical snews.php... so I don't know what to think now....  :rolleyes:
Logged
Of all the things I have lost, it is my mind that I miss the most.

piXelatedEmpire

  • MIA
  • ULTIMATE member
  • ******
  • Karma: 37
  • Posts: 1401
  • currently MIA
Problems with quotes in title of article
« Reply #5 on: February 22, 2007, 12:56:20 AM »

Quote from: philmoz
NOTE. For some reason, even article or comment text using punctuation... for eg.... don't throws a spanner in the works.. I have implemented mika's !get_magic_quotes_gpc on title, text, and comment in processing, and it appears to now work consistently.
yeah I'm now experiencing the same thing :/
did you just add the magic_quotes fix to the three variables stated?
Logged
my apologies to the sNews crew, but I will be MIA for the forseeable future

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Problems with quotes in title of article
« Reply #6 on: February 22, 2007, 01:27:51 AM »

Quote from: piXelatedEmpire
Quote from: philmoz
NOTE. For some reason, even article or comment text using punctuation... for eg.... don't throws a spanner in the works.. I have implemented mika's !get_magic_quotes_gpc on title, text, and comment in processing, and it appears to now work consistently.
yeah I'm now experiencing the same thing :/
did you just add the magic_quotes fix to the three variables stated?
yep. This is the code block.

Code: [Select]
  $title = !get_magic_quotes_gpc() ? addslashes($_POST['title']) : $_POST['title'];
  $seftitle = $_POST['seftitle'];
$url = cleanXSS($_POST['url']);
$comment = !get_magic_quotes_gpc() ? addslashes($_POST['editedcomment']) : $_POST['editedcomment'];
$text = !get_magic_quotes_gpc() ? addslashes($_POST['text']) : $_POST['text'];
original prob may well have stemmed from php5 upgrade differences. How I don't know!
Logged
Of all the things I have lost, it is my mind that I miss the most.

klaus

  • Newbie
  • *
  • Karma: 0
  • Posts: 24
Problems with quotes in title of article
« Reply #7 on: February 22, 2007, 08:06:08 PM »

Since my .31 upgrade mine won't even accept quotes on the content... :(
Logged

piXelatedEmpire

  • MIA
  • ULTIMATE member
  • ******
  • Karma: 37
  • Posts: 1401
  • currently MIA
Problems with quotes in title of article
« Reply #8 on: February 22, 2007, 11:33:45 PM »

then add philmoz's fix and all will be well
Logged
my apologies to the sNews crew, but I will be MIA for the forseeable future

Sven

  • ULTIMATE member
  • ******
  • Karma: 88
  • Posts: 2029
  • Chasing MY bugs!
    • hiseo.fr - rédacteur Web
Problems with quotes in title of article
« Reply #9 on: April 27, 2007, 05:44:30 PM »

:|
The fix is to replace :
Code: [Select]
$title = str_replace("\'", "'", $_POST['title']);by Phil's code ?
Code: [Select]
$title = !get_magic_quotes_gpc() ? addslashes($_POST['title']) : $_POST['title'];
      $seftitle = $_POST['seftitle'];
    $url = cleanXSS($_POST['url']);
    $comment = !get_magic_quotes_gpc() ? addslashes($_POST['editedcomment']) : $_POST['editedcomment'];
    $text = !get_magic_quotes_gpc() ? addslashes($_POST['text']) : $_POST['text'];
Nothing else ?

piXelatedEmpire

  • MIA
  • ULTIMATE member
  • ******
  • Karma: 37
  • Posts: 1401
  • currently MIA
Problems with quotes in title of article
« Reply #10 on: May 02, 2007, 03:02:08 AM »

I think codetwists fix here fixes the apostrophe issue.
Logged
my apologies to the sNews crew, but I will be MIA for the forseeable future

katomi-tom

  • Newbie
  • *
  • Karma: 0
  • Posts: 2
Problems with quotes in title of article
« Reply #11 on: May 11, 2007, 04:44:33 AM »

I started to try the fix above but it was just too much code, most all other php I've seen is fairly easy to read.  So I was looking around and found this code <code>$text = str_replace("'", "\\'", $_POST['text']);</code>.  I'm not exactly sure where I found it because I was at work at the time, I'll have to note it though.  It worked great for me, but I'm not sure if my MySQL is UTF-8 or ISO.  I am running MySQL 5.0.27 with PHP 5.1.6.  After I tried this fix and got all excited because it worked I went to add a comment about it, of course that didn't work so I had to apply the same code to the comments also.

I believe the code above was from http://pdxphp.org/articles/escaping-injected-data

By the way, this sNews is some excellent work!
« Last Edit: November 04, 2007, 12:47:23 PM by philmoz »
Logged