Gossamer Forum
Quote Reply
escape_html Description
I have Descriptions written in a variety of languages. They work fine when created and when listed.

However, when the Descriptions are to be modified, the <%escape_html Description%> gives a messy bunch of characters, not the writing of another language.

I understand about html, and the risk of XSS attacks.

How can I give my user their Description in their language so they can modify it, without subjecting the site to the risk of XSS attacks?

Thanks,
Tora
Quote Reply
Re: [tora] escape_html Description In reply to
So it doesn't show the description as "broken" if you don't use GT::SQL->html_escape() ?

I'm a bit confused as to why it would break - seeing as all its doing is:

Code:
if (ref($toencode) eq 'SCALAR') {
$$toencode =~ s/&/&amp;/g;
$$toencode =~ s/</&lt;/g;
$$toencode =~ s/>/&gt;/g;
$$toencode =~ s/"/&quot;/g;
$$toencode =~ s/'/&#039;/g;
}
else {
$toencode =~ s/&/&amp;/g;
$toencode =~ s/</&lt;/g;
$toencode =~ s/>/&gt;/g;
$toencode =~ s/"/&quot;/g;
$toencode =~ s/'/&#039;/g;
}

What encoding is your site set in? UTF-8 or ISO-8859-1? Have you changed the DB to store in UTF8?

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

Last edited by:

Andy: Apr 30, 2016, 3:34 AM
Quote Reply
Re: [Andy] escape_html Description In reply to
yes, looking in Setup Options, Misc. Options, it is ISO-8859-1, which works fine for me in the admin and browser.


I see it also says:
Quote:
This is the character set that will be sent to the web browser for admin and browser pages. This should match the character set of your actual link data that is stored in the database. The character set will also be used in the luna template set, but can be changed to something else (e.g. if you have template sets in several languages), by modifying the include_common_head.html template
.

looking at that template, I see the first line is:

Quote:
<meta http-equiv="content-type" content="text/html; charset=<%config.header_charset || iso-8859-1%>" />
I suppose that part should be changed for each language. I can think of some cumbersome ways to change it.Crazy

What is an easy/elegant way to automate that?
Thanks
Tora
Quote Reply
Re: [tora] escape_html Description In reply to
Mmm.. can you try this global:

utf8_safe_escape
Code:
sub {
use Unicode::MapUTF8 qw(to_utf8 from_utf8 utf8_supported_charset);
$_[0] =~ s/([\200-\377]+)/from_utf8({ -string => $1, -charset => 'ISO-8859-1'})/eg;
$_[0] =~ s/&/&amp;/g;
$_[0] =~ s/</&lt;/g;
$_[0] =~ s/>/&gt;/g;
$_[0] =~ s/"/&quot;/g;
$_[0] =~ s/'/&#039;/g;
return $_[0];
}

Call with:

Code:
<%utf8_safe_escape($Description)%>

Untested, but worth a try :)

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [Andy] escape_html Description In reply to
Thanks, Andy, this looked like a good solution.

I tried "hello world" as translated by google translate into Russian. &#1055;&#1088;&#1080;&#1074;&#1077;&#1090; &#1084;&#1080;&#1088; . It looks fine as a link Description.

When I tried to modify the description I got this error message in the description field of the form.
Quote:
Unable to compile 'utf8_safe_escape': Can't locate Unicode/MapUTF8.pm in @INC (@INC contains: /var/home/cyberinstitute/bizomat.com/cgi-bin/links/admin /etc/perl /usr/lib/perl5/site_perl/5.8.4/x86_64-linux /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.4/x86_64-linux /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.4/x86_64-linux /usr/lib/perl5/5.8.4 /usr/local/lib/site_perl .) at (eval 21) line 2.
BEGIN failed--compilation aborted at (eval 21) line 2.



I have not had this kind of problem before, and Gossamer-Threads does the hosting, so I expect it is not a fundamental software problem. (Yay Gossamer-Threads!) But maybe I have to contact them?

Maybe, however, the global needs needs a tweak? I don't quite understand what it does, so I cannot suggest changes.


Thank you so much!
Quote Reply
Re: [tora] escape_html Description In reply to
Hi,

Try asking GT to install the Unicode::MapUTF8 Perl module.

Its a bit hit and miss as to how this is going to work with Russian (not sure how that works with ISO-8859-1 ... but its worth a shot :))

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [Andy] escape_html Description In reply to
Thanks, will do!

And wishing I could send you lots of our Roman sunshine for your bank holiday weekend.

thanks again,
Tora
Quote Reply
Re: [tora] escape_html Description In reply to
Quote:
And wishing I could send you lots of our Roman sunshine for your bank holiday weekend.

hehe, I'm stuck indoors working anyway Whistle

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [Andy] escape_html Description In reply to
Thanks again for your suggestion, and GT have now installed Unicode::MapUTF8 Perl module on my server.

I no longer get the error message, but my problem is still not solved - the Russian for "hello world" still looks like a string of random characters, not the correct Russian script which appears in unescaped form.

Any ideas?
Quote Reply
Re: [tora] escape_html Description In reply to
Hi,

Mmm.. not too sure :/ Afraid I'm a bit too busy to have a play around with it at the moment :(

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [Andy] escape_html Description In reply to
I'll try googling about translations and characters, and also see whether others on this forum have ideas.

Thanks for all your help!!
Quote Reply
Re: [tora] escape_html Description In reply to
The solution was to switch to UTF-8. Thanks, Adrian!