Hey there,
I rewrote some parts of my admin-system, no I got confused.
I'm using the form-helper to generate forms and the set_value(); function to set data if exists or if it's in the database. In the past I used this:
PHP Code:
$this->form_creator->setValue('example_field', (set_value('example_field') == false) ? $entry->value : set_value('example_field'));
(Ignore the form_creator thingy)
As you can see, if set_value can't find post-data, it uses the Default value from the db. After reading the docs a Little bit, I found out that set_value actually does exactly the same, so I decided to use this instead:
PHP Code:
$this->form_creator->setValue('example_field', set_value('example_field', $entry->value));
The Problem: The textfield needs to contain html-tags, like a <p> or <blockquote>. I live in Germany, so I use the ASCII_to_entities method, to convert characters like ä, ü, ö, ß, double quotes, single quotes, and some others. Because we get our articles from Microsoft Office and other Office programs, which uses those characters, they're automatically converted to, i.e ä => ä, which is absolutly great, because this means, we don't Need to care much.
Now, if I load the form, because of set_value, those characters are converted to, i.e. &#228;, when I save this, everything goes wrong. Next time I edit the same form, it converts $amp;#288; to &amp;#288;.
I decided to take the third paramater, and turn off html-escaping.
My question: In what way is this save? Could any Code be executed or harming, if I use the third Parameter? Of Course, JavaScript can be executed by this, so it's not very xss-friendly..
I could use a Parser for the tags, but I Need to use ASCII_to_entities for the Office characters etc., which is a Problem..
Any suggestions, tips or?
Greetings, Uri
-.-.-.-.-.-.-.-.-
-.-.-.-.-.-.-.-.-
