Special chars in text field always considered as changed (editor.js editor PHP)
Special chars in text field always considered as changed (editor.js editor PHP)
Hello Allan,
I'm using dataTable and Editor PHP SERVERSIDE in "STANDALONE MODE".
I've got a lot of standalone field on my pages and I'm using "CHANGE" mode to prevent all field from being updated each time a field is edited.
My problem is that as soon as a text field contains a special char (for instance &), editor consider that it has changed.
The problem seems to come from the _deepCompare function on line 180 (dataTables.editor.js v1.6.2).
The following condition always returns false when special characters are in the field. :
if ( typeof o1 !== 'object' || typeof o2 !== 'object' ) {
return o1 === o2;
}
For example when a field contains the value &test :
console log(o1,o2) ---> &test & amp;test
In database the value is saved as "& amp;test", and is returned that way in json, but the text field just returns "&" so it's always considered as changed.
Can you think of a solution for this ?
Thanks for your help
Julian
Replies
What I think is happening here is the XSS protection is getting in the way. Because DataTables doesn't encode characters by default on display (which is an XSS vector) Editor does the XSS encoding before writing to the database. You could disable that using
->xss( false )
for the field(s) in question in the server-side script.If you do that and it is a public application (i.e. not just an internal office tool), have a look over the security manual page to understand how to protect against XSS attacks.
You'll probably need to save the text once before the "fix" will be noticeable, since it needs to save the decoded value.
Allan
Hi Allan,
I'm coming back on this issue beacause it causes a lot of problem on the application I've built.
I've got a lot of field and a lot of page.
Would it be possible to have the possibility to disable xss globally, instead of per field.
Thanks Julian
You'd need to use
->xss( false )
on each of the fields. The other option is to modify theField.php
file and change the default value in the class.Allan