CodeIgniter Forums
"Disallowed Key Characters" for HTML content - even using $_POST?! - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: "Disallowed Key Characters" for HTML content - even using $_POST?! (/showthread.php?tid=23606)

Pages: 1 2

"Disallowed Key Characters" for HTML content - even using $_POST?! - El Forum - 10-16-2009

[eluser]mattpointblank[/eluser]
Hi all.

Writing an email newsletter script. It uses TinyMCE rich text editor for HTML.

If I use a string like "<span style="bold;">text</span>" it immediately breaks and I get the "Disallowed Key Characters" error. I tried replacing my calls to $this->input->post('html') with $_POST['html'] but still get this message, even after disabling global xss filtering. It seems CI is intercepting my (ajax) form post still.

Is there any way I can just grab my raw html (which has been filtered by TinyMCE anyway) and email it? This is pretty frustrating.

Thanks,
matt

"Disallowed Key Characters" for HTML content - even using $_POST?! - El Forum - 10-16-2009

[eluser]Jônatan fróes[/eluser]
did you try without ajax?

"Disallowed Key Characters" for HTML content - even using $_POST?! - El Forum - 10-16-2009

[eluser]mattpointblank[/eluser]
No, good point I guess, but ultimately this app is definitely going to be using ajax for this function, so I'd rather find a proper fix for it now.

"Disallowed Key Characters" for HTML content - even using $_POST?! - El Forum - 10-16-2009

[eluser]Jônatan fróes[/eluser]
In this script I've used CI/ajax/TinyMCE:
ShowCase
.
I'm not sure if form_open adds 'enctype="multipart/form-data"'. So, instead of
Code:
&lt;?= form_open('url'); ?&gt;

i used
Code:
&lt;form action="&lt;?= site_url('url'); ?&gt;" method="post" enctype="multipart/form-data" class="ajax_form"&gt;

And the js (by jQuery):

Code:
$(document).ready(function(){
    //ajax form
    $(".ajax_form").submit(function() {
       $(this).ajaxStart(function() {
                $('#result').empty();
                $('#result').append('<p>processing...<p/>');
       });
       var options = {
           target: "#result",
           type: "post",
           success: function(result) {
                        $('#loading').fadeOut(500, function() {
                            $(this).remove();
                            $('#result').append(result);
                        });
           }
       }
       $(this).ajaxSubmit(options);
       return false;
    });
});


"Disallowed Key Characters" for HTML content - even using $_POST?! - El Forum - 10-16-2009

[eluser]Jônatan fróes[/eluser]
[quote author="Jônatan fróes" date="1255713045"]In this script I've used CI/ajax/TinyMCE:
ShowCase
.
I'm not sure if form_open adds 'enctype="multipart/form-data"'. So, instead of
Code:
&lt;?= form_open('url'); ?&gt;

i used
Code:
&lt;form action="&lt;?= site_url('url'); ?&gt;" method="post" enctype="multipart/form-data" class="ajax_form"&gt;

And the js (by jQuery):

Code:
$(document).ready(function(){
    //ajax form
    $(".ajax_form").submit(function() {
       $(this).ajaxStart(function() {
                $('#result').empty();
                $('#result').append('<p>processing...<p/>');
       });
       var options = {
           target: "#result",
           type: "post",
           success: function(result) {
                        $('#loading').fadeOut(500, function() {
                            $(this).remove();
                            $('#result').append(result);
                        });
           }
       }
       $(this).ajaxSubmit(options);
       return false;
    });
});
[/quote]


And inside the form I added am empty div with id="result"

"Disallowed Key Characters" for HTML content - even using $_POST?! - El Forum - 10-16-2009

[eluser]mattpointblank[/eluser]
That sort of code works for me, but in my ajax function, it works like this:

Code:
$('#sendPreview').bind('click', function(){
        
                title = $('#title').val();
        html = $('#content').val();
         email = $('#email').val();

        $.ajax({
            type: "POST",
            url: "&lt;?php echo site_url(); ?&gt;/newsletter/sendPreview",
            data: "title="+title+"&html;="+html+"&email;="+email,
            success: function(msg){
                //alert('The preview email was sent!');
                alert(msg);
            }
         });
     });

Eg, my script posts to a webpage and sends data, which is when it encounters CI's $_POST filtering.

"Disallowed Key Characters" for HTML content - even using $_POST?! - El Forum - 10-19-2009

[eluser]mattpointblank[/eluser]
I feel like this thread might be related: http://ellislab.com/forums/viewthread/65152/

That user was having issues if his textarea contained the word 'method'. The function that's giving me this error message is supposed to be checking keys, not values - eg, shouldn't it be validating my form field NAMES, not their content? My form field is just called 'html' - the error I get is a bit of weirdly converted HTML:

Code:
Disallowed Key Characters: nbsp;</p>
<p_style

Anyone got any ideas?

"Disallowed Key Characters" for HTML content - even using $_POST?! - El Forum - 10-19-2009

[eluser]mattpointblank[/eluser]
Fixed it. Jônatan fróes was right, it was the AJAX.

All I needed to do was use escape() in the javascript data to escape my HTML, then it worked fine.

"Disallowed Key Characters" for HTML content - even using $_POST?! - El Forum - 11-28-2009

[eluser]Dojjjan[/eluser]
I have the same problem here but i didn't understand how you soloved it?

I use tinyMCE and tinyMCE imagemanager for making posts to a blog and i what to use jquerys ajax function for submiting the form. But i get "Disallowed Key Characters" for the html that tinyMCE produces. It works just fine without the ajaxfunction and i dont what to use the $this->db->escape() function because it messes up the html when it gets displayed on the blog (is there an unescape function that i don know about? im new to codeigniter).

this is the jquery ajaxfunction i use.

Code:
$('#blog_save_btn').click(function(){
        var headline = tinyMCE.get('blog_headline').getContent();
        var content = tinyMCE.get('blog_content').getContent();

        $('#blog_site').html('<br/><center><img src="assets/images/ajax-loader.gif" style="border:0;"/> Laddar poster...</center>');
        var data_string = "save=true&blog;_headline="+headline+"&blog;_content="+ content;
    
        $.ajax({
                   type: "POST",
                   url: "&lt;?php echo base_url();?&gt;index.php/edit_vidga/blogpost_ajax_save",
                   dataType: "html",
                   data: data_string,
                   cache: false,
                
                   success: function(response){
                        $("#blog_site").html(response);    
                         tinyMCE.get('blog_headline').setContent("");
                         tinyMCE.get('blog_content').setContent("");    
                            add_handlers();        
                       }
                 });

        $("#make_posts").slideUp("slow");
        return false;
    });

How did you guys sollove this problem? did you escape the datastring with $this->db->escape()? and if so how did you get the html not to break when the data in the database is displayed on the webpage again?

"Disallowed Key Characters" for HTML content - even using $_POST?! - El Forum - 11-28-2009

[eluser]mattpointblank[/eluser]
Use the Javascript escape() function on your TinyMCE's value before it gets sent to your php page.