Prevent Sanitizing of "<" and ">" etc

Prevent Sanitizing of "<" and ">" etc

ramixramix Posts: 8Questions: 2Answers: 0

Hi,
though I understand it's coming from a security aspect, when submitting text through DataTables editor (php version), sometimes - the field represents free text or HTML, and if I submit text that has special characters such as "<" and ">", they are inserted into the database as "<" and ">".

This is bad in 2 cases:
1. If this user on the DatatTables page is a trusted user, and needs to inject HTMLdata into a field.
2. Even if it's an untrusted user, but it's legit to type something like: "Day 1 > Breakfast > Eggs" - this should be "plain as is" in the DB, and in this case, just needs to be converted to the special characters with their corresponding HTML codes.

The fact of the using is being trusted or not is not really relevant to this question, but bottom line -
How can I make it that if I write "<" in a field vie the editor, it will be inserted to the Database as "<" and not as "&lt"?

Answers

  • ramixramix Posts: 8Questions: 2Answers: 0

    After posting this, Needing a solution desperately, I rtfm and found that I can just use "->xss(false)," in addition to the select field, so for example, for a field called "html" - where I trust the users input, it would be:
    "Field::inst( 'html' )->xss(false),".
    I would just like to make sure - using this for other text fields - assuming I am handling text security on the front end, is this the right way to allow such input like "Main > Sub"? (wihtout "<" turning into "lt;")?

    and, is there an easy way to apply this on all text fields, vie config or something, without needing to add this to every field?

  • allanallan Posts: 61,446Questions: 1Answers: 10,054 Site admin

    , is this the right way to allow such input like "Main > Sub"? (wihtout "<" turning into "lt;")?

    Correct!

    is there an easy way to apply this on all text fields, vie config or something, without needing to add this to every field?

    I'm afraid not. At the moment it needs to be applied to each field. Or if you were happy to change the library you could change the default to be false.

    Allan

Sign In or Register to comment.