CMS module for Phprojekt

CMS module for Phprojekt
Tasklist

FS#59 - Escaped quotes in URL links.

Attached to Project: CMS module for Phprojekt
Opened by Mario A. Valdez-Ramirez (mvaldez) - Tuesday, 13 July 2004, 22:24 GMT
Last edited by Mario A. Valdez-Ramirez (mvaldez) - Wednesday, 14 July 2004, 19:02 GMT
Task Type Bug Report
Category Backend / Core
Status Assigned
Assigned To Mario A. Valdez-Ramirez (mvaldez)
Operating System All
Severity Low
Priority Normal
Reported Version any
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

An user has reported the following on the forums:
Hello! I can't get URL links to work in CM documents. Having:
<a href="redir.php?cm_elink=http://www.test.com">http://www.test.com</a>
in a "Edit document" window, after saving I get
-CMGT-a href=\-CMDQ-redir.php?cm_elink=http://www.test.com\-CMDQ--CMLT-http://www.test.com-CMGT-/a-CMLT-
in a database. And then opening that document my link looks this way:
http://myserver.com/phprojekt/cm/%5C%22redir.php?cm_elink=http://www.test.com\%22

I use Apache with Oracle database on Windows 2000 server. If magic quotes matters, my settings in php.ini are: magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
This task depends upon

Comment by Mario A. Valdez-Ramirez (mvaldez) - Tuesday, 13 July 2004, 22:30 GMT
Our answer was:
> Hello! I can't get URL links to work in
> CM documents. Having: <a href="redir.php?
> cm_elink=http ://www.test.com">http://www.test.com
> </a> in a "Edit document" window...

Yes, that is expected as external links are converted to be redirected by the redir.php script.

> after saving I get -CMGT-a href=\-CMDQ-redir.php?
> cm_elink=http ://www.test.com\-CMDQ--CMLT-
> http ://www.test.com-CMGT-/a-CMLT- in a database.

This is expected too, as those characters (<, >, ") are converted before being stored in the database. (The purpose of this is that all content in the database is stored as character entities and those characters should be preserved later).


> And then opening that document my link looks
> this way: http ://myserver.com/phprojekt/cm/
> %5C%22redir.php?cm_elink=http://www.test.com\%22

Ok, now that is weird. That link is equivalent to this:
http://myserver.com/phprojekt/cm/\"redir.php?cm_elink=http://www.test.com\";


The link reference is quoted and the quotes are escaped. This escaping is happening after the data is extracted from the database, as the links in the database are not escaped.


> I use Apache with Oracle database on Windows 2000 server.
> If magic quotes matters, my settings in php.ini are:
> magic_quotes_gpc = Off
> magic_quotes_runtime = Off
> magic_quotes_sybase = Off
> Thanks for suggestion / solution in advance!
> Benjamin

The CMS has not been tested on Oracle (at least by me). I will try to replicate your configuration to search for an answer. Benjamin, in the mean time try the following:

In the script cm/display.php, around line 136, 141, and 147 wrap the fcm_process_markup function call with the stripslashes function so that it looks like this:
echo stripslashes (fcm_process_markup (fcm_secure_html (fcm_decode_htmlfull ($row1[2])), $cm_path, true));

...like this:
echo stripslashes (fcm_process_markup (fcm_htmlentity (fcm_decode_html ($row1[2])), $cm_path, false));

...and like this:
echo stripslashes (fcm_process_markup ($row1[2], $cm_path, false));

Comment by Mario A. Valdez-Ramirez (mvaldez) - Tuesday, 13 July 2004, 22:32 GMT
Need to test with Oracle and discard some problem with quotes-sybase or the such. The escaping seems to be ocurring when reading from the database. We forgot to confirm the version of the CMS.

Comment by Mario A. Valdez-Ramirez (mvaldez) - Wednesday, 14 July 2004, 19:02 GMT
The user reported fixing it with by wrapping the output with stripslashes. Pending to replicate environment to test.

Severity changed to Normal, as this render the links in content unusable, but there is an easy workaround.

Priority changed to Medium-low, as there is a workaround and it has not been reported before.

Loading...