I'm currently using Zend_Filter_StripTags in a commenting system, but stuff kinda breaks when '<3' is entered. StripTags doesn't seem to be smart enough to realize that it's not an HTML tag, and creating the filter as "new Zend_Filter_StripTags(array('3'))" doesn't seem to work either.
Should I pass the input through a regexp first, or is there a way to get Zend_Filter_StripTags to straighten up and fly right?
Ended up writing a Zend_Filter class that was basically a wrapper for HTMLPurifier. Works perfectly, because HTMLPurifier is a LOT smarter than striptags.
I'm not familiar with Zend much, but if you want stuff like <3 to be allowed, just do htmlspecialchars instead of strip_tags on it.
What you want is Zend_Filter_HtmlEntites most likely.
See: Zend_Filter_HtmlEnties
The problem with htmlspecialchars and Zend_Filter_HtmlEntities is that if you're trying to strip out all html tags ( like 'a' and 'img', etc ), then instead of stripping them, you end up with that markup in your output.
Take comments on a blog for example. If you use htmlspecialchars or Zend_Filter_HtmlEntities, in a comment where someone tries to use html to enter a link you end up with that markup showing up when you display the comment. But if you use strip_tags or Zend_Filter_StripTags you end up mangling the comment, as neither is smart enough to realize that '<3' isn't a tag, and just strips everything from '<3' until the end of the comment ( or until it finds '>' ).
It would be nice if Zend had something like HTMLPurifier, where it actually checks and validates the input before stripping tags. This means that stuff like '<3' gets left alone, where as stuff like 'Awesome Site' becomes 'Awesome Site'.
This is a problem I'm trying to work around, and at the moment it seems like I'm going to end up writing my own Zend_Filter class that's basically a wrapper for HTMLPurifier.
Related
I am working on an issue raised by the security team about a possible XSS attack on a few input fields on our form. Our freemarker page has the following code.
<#assign zipcode = someObject.getInfo().getZipCodeFirstFive()>
I read up on HTML encoding and it talks about adding ?html at the end but I couldn't find the freemarker syntax anywhere. So, could I do something like
<#assign zipcode = (someObject.getInfo().getZipCodeFirstFive())?html>
to make it output encoded?
Yes, that would be a possible syntax for this, though I would recommend two things to make it more readable:
You don't need the extra (), you can just write someObject.getInfo().getZipCodeFirstFive()?html
It's unrelated to escaping, but you don't need to write out getters either, so you end up with someObject.info.zipCodeFirstFive?html
On the longer term, I would recommend escaping by default. Before 2.3.24 that's done by surrounding each template by <#escape x as x?html>...</#escape>. Starting from 2.3.24 the recommended methods is auto-escaping set up globally, in the Configuration.
When I submit my form I am getting an error from my cfinsert function because there is not a database column name "SEARCHFIELD". The problem is "SEARCHFIELD" is not an input in the form I am submitting.
Both forms have close and open tags so I am not sure why my search form input is being referenced in my main forms submission?
Any thoughts?
Two ways I can think of to avoid this, without seeing your actual code it is hard to guess where SEARCHFIELD is coming from. As some of the comments pointed out it would most likely be from a CFPARAM or the name of your submit button in the form.
The first way you could tackle this is the CFINSERT tag has an attribute named formfields where you can list off the columns you wish to insert with. You can see that here in this doc link:
http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7c78.html
Another way you could do this is you could add code to remove SEARCHFIELD from the FORM scope prior to running the CFINSERT. Which would be as simple as:
<cfset StructDelete(FORM, "SEARCHFIELD") />
You could check to see if it exists and if so then delete it but the StructDelete() will run without issues even if the field does not exist.
I personally do not use CFINSERT/CFUPDATE and I know the default opinion in the community is not to. They do have some benefits though that often are overlooked in that they do parameterise the SQL and offer at least some safety from malicious people. Without knowing anything about what you are doing it is hard to say if using them is actually a shot in your foot in the long run or something just fine to be doing.
I need to find any extra links and print them out. I started by doing:
get_xpath_count('//li/a')
and comparing it to the size of an array that holds the name of all the links for the sidebar. When the count is too high/low, I need to print out all the extra/missing links. I would like to make a list of the names so I can compare it to the array. I've tried a few things like get_text('//li/a'), which returns the name of the first. get_text('//li/a[1]) does the same, but any other index returns nothing.
Any ideas? Also, I need the name that's displayed on the link, not the actual href.
Edit* Also, i'm pretty new to selenium and Xpath. Please let me know if there's info I let out that is needed, or just any suggestions towards thew way I'm going about this.
I have been able to get this to work using CSS element locators. Since I use CSS selectors far more often than Xpath, I find it easier to always use them with Selenium as well.
$selenium->get_text("css=li a:nth-child(1)")
$selenium->get_text("css=li a:nth-child(2)")
$selenium->get_text("css=li a:nth-child(...)")
$selenium->get_text("css=li a:nth-child(n)")
Use:
(//li/a)[$someNumber]
this will get you the text of $someNumber-th //li/a in the XML document.
In order to know what values to use to substitute the $someNumber with, you need to know the total count of these elements:
count(//li/a)
This is in JAVA. You can use the same concept in perl
int totCountInPage=selenium.getXpathCount(//li/a);
for(int count=1;count<=totCountInPage;count++)
System.out.println(selenium.getText("xpath=//li[count]/a"));
This should print text inside the anchor links under all li tag.
I am extremely new to Zend Framework, In registration form, i need label text in two line. For Example:- In the case First name, I need to display like below:
First
Name:
How can i implement this? Please anyone help me!!!
By default, input fields labels are being escaped by Zend_View_Helper_FormLabel. However, you can easy switch this off:
$yourTextInputElement->getDecorator('label')->setOption('escape', false);
This way you can use labels as e.g. $yourTextInputElement->setLabel('First <br/> name');.
What about this nifty solution ?
http://jsfiddle.net/J67GD/
The best way is probably to use Description decorator, or subclass one of other standard ZF decorators.
Yanick's CSS solution might be a good choice too, depending what are you trying to do.
$(this+"p").slideDown("slow");
$(this)+$("p").slideDown("slow");
$("this+p").slideDown("slow");
does not work.
Yeah, your syntax is bad. You should use the jQuery Sibling function:
$(this).siblings().find("p").slideDown("slow");
The jQuery API site is awesome for looking stuff like this up, I rely on it nearly daily. I'd keep an eye on it.
Next.
$(this).next("p").slideDown("slow")
Make sure that the "p" element is directly adjacent, though. Otherwise you'll want to use nextAll.
jQuery have not seemed to apply this? Possibly the syntax we are trying to use is incorrect.
next() can only select elements with an ID or Class - Not just a naked dom element as expected.
Instead use. > means select first level decends only.
$('body > div').hide();
But this gives the exact same result
$('body').children('div').hide();
But,
Next
$('body + div').hide();
and
Previous
$('body ~ div').hide();
Do not seem to work as expected? But jQuery use it as example for CSS selection...
Possibly there is a complex syntax to achieve this but I could not figure it out...