So I have made a guestbook (http://guestbook.ssdfkx.ch) which has a bug I can't get rid of myself. When you submit an entry and write in HTML text, it is converted into HTML and not plain text. This leads to the problem that one person can mess up the whole website in seconds.
I have tried it with the <plaintext> tag. But if I do so, even when I close the tag again, everything from the tag down turns into plain text.
Help is appreciated. The following is my code:
while ($row = mysqli_fetch_object($ergebnis)) {
$message = $row->message;
$name = $row->name;
$date = $row->date;
$id = $row->id;
$datetime = new DateTime($date);
$formatteddate = $datetime->format('d.m.Y');
$formattedmessage = nl2br($message);
if ($_SESSION['logged_in'] == true) {
$entryfeld = '<article>
<div>
<main>
<div class="innerdiv">
<p>'.$formattedmessage.'</p>
</div>
</main>
<div class="innerleft">
<form method="POST">
<input name="id" type="hidden" value="'. $id . '"/>
<input name="löschen" class="deletebutton" id="deletebutton" value="Löschen" type="submit"> </form>
<br/>
<p id="innerleftp">'.$name.'</p>
</div>
<div class="innerrightdel">
<p>'.$formatteddate.'</p>
</div>
</div>
</article>';
EDIT: Well, the variable $formattedmessage is what the user enters. If the user enters HTML it actually converts it which should not be happening. I tried using the <plaintext> tag before and after the variable. It somehow changed everything after the variable into plain text and not only the user input.
Related
I found this link that suggested injecting a table into a div.
enter link description here
Here is an example of new HTML that I want to inject:
<br />
<br />
<LSz class='LineSpaceDouble'>
Hi, <p class='FIRST_NAME'> </p> <br><br>
Hi <p class='FIRST_NAME'> </p>, my name is <p class='MYNAME'> </p> .
More Text.<br>
</LSz>
<br />
<label for='PBirthDate'>Primary Birthdate:</label>
<input id='PBirthDate' class='input100' type='text' name='PBirthDate' placeholder='mm/dd/yr' size='10'>
<span class='focus-input100'></span>
<br />
Here is my current jq code that does the injection:
var S = J;
$(S).appendTo('#Script_Displayed');
J holds HTML text to be injected.
and Script_Displayed is the id of the div
THAT works -- in that the "text" is indeed injected into the web page where the div is located.
My problem is when I attempt to change a value:
var Z = document.getElementsByClassName('FIRST_NAME');
Z.innerHTML = "Anthony";
The new innerHTML value does not appear on the web page.
What Can I do to make these changes visible?
The function getElementsByClassName returns a collection of elements, not a single element. So this won't work by default:
Z.innerHTML = "Anthony";
Instead, loop over the collection to assign the innerHTML value to each element in the collection:
var Z = document.getElementsByClassName('FIRST_NAME');
for (let el of Z) {
el.innerHTML = "Anthony";
}
Hi, <p class='FIRST_NAME'> </p> <br><br>
Hi <p class='FIRST_NAME'> </p>, my name is <p class='MYNAME'> </p> .
More Text.<br>
How does one with perl change an html element's value using the html element's ID. How do you do this in the code.
For example:
<div id="container">
<form id="form" action="../code.cgi" method="post">
<label id="lblMessage" class="text">Message</label>
</form>
</div>
How would I change the label's text in my perl script?
Get an HTML or XML parser find the element (e.g., by XPath expression), and remove all its child text nodes, and add a new text node with the text you want.
use strict;
use warnings;
use XML::LibXML;
my $dom = XML::LibXML->load_html(location => 'myfile.html');
my $xpath = XML::LibXML::XPathContext->new($dom);
foreach my $label ($xpath->findnodes('//label[#id="lblMessage"]')) {
$label->removeChildNodes();
$label->addChild($dom->createTextNode("new text"));
}
Caveat: if there are other nodes (elements, like <b> or <span>) in your label, these get removed as well.
You probably need to add some code to write the modified html back to a file.
I, personally like HTML::TreeBuilder for this sort of task.
use HTML::TreeBuilder;
my $html = <<END;
<div id="container">
<form id="form" action="../code.cgi" method="post">
<label id="lblMessage" class="text">Message</label>
</form>
</div>
END
my $root = HTML::TreeBuilder->new_from_content( $html );
$root->elementify(); # Become a tree of HTML::Element objects.
my $message = $root->find_by_attribute( 'id', 'lblMessage' )
or die "No such element";
$message->delete_content();
$message->push_content('I am new stuff');
print $root->as_HTML();
I have Joomla 2.5 installed.
I developed some little module which generates html code.
Now, when it outputs the generated code, Joomla wraps it in <p> tags.
This causes two problems:
1. My css doesn't apply well because of paragraphing.
2. Paragraphs are crossing other tags.
For example here is a part of the module code:
<div class="formBlock">
<div class="label"><?php echo LABEL_PROJ_DESC; ?></div>
<textarea class="descbox"
id="descriptionBox"
name="rp_proj_desc"
cols="35"
rows="6"><?php echo $sender_description; ?></textarea>
</div>
<div class="formBlock">
<div class="label"><?php echo LABEL_PRODUCTS; ?></div>
<div class="formTable">
<?php
foreach($products as $id => $product)
{
$checked = "";
foreach($selectedProducts as $selectedId => $name)
{
if ($id == $selectedId)
{
$checked = "yes";
break;
}
}
?>
<div class="productsRow">
<span>
<input class="formCheckbox"
type="checkbox"
<?php
if ($checked)
{
echo "checked=yes ";
}
?>
name="<?php echo PROD_PREFIX . $id; ?>" />
</span>
<span class="productsName"><?php echo trim($product); ?></span>
</div>
<?php
}
?>
</div>
</div>
What I actually get is:
<div class="formBlock">
<div class="label">Your project description:</div>
<p> <textarea class="descbox"
id="descriptionBox"
name="rp_proj_desc"
cols="35"
rows="6"></textarea>
</div>
<div class="formBlock">
<div class="label">Our products you interested in:</div>
<div class="formTable">
<div class="productsRow">
<span></p>
<input class="formCheckbox"
type="checkbox"
name="product_0" />
</span>
<span class="productsName">Product1</span>
</div>
<div class="productsRow">
<span></p>
<input class="formCheckbox"
type="checkbox"
name="product_1" />
</span>
<span class="productsName">Product2</span>
</div>
<div class="productsRow">
<span></p>
<input class="formCheckbox"
type="checkbox"
name="product_2" />
</span>
<span class="productsName">Cheese</span>
</div>
</p>
</div>
</div>
Put attention to <p> and </p> tags.
If search amount of <p> and </p> elements in "view source" page it will:
<p> - 12
</p> - 18
It means that something really wrong happening with Joomla...
I guess that it is some plugin influencing it. I listed all plugins, especially those of type - "content" but didn't find any causing the problem.
These are the enabled plugins:
plg_editors-xtd_article
plg_finder_categories
plg_search_categories
plg_editors_codemirror
Xmap - Content Plugin
plg_finder_contacts
plg_search_contacts
plg_finder_content
plg_search_content
plg_system_debug
plg_content_emailcloak
plg_quickicon_extensionupdate
System - Gantry
plg_content_geshi
plg_system_highlight
plg_editors-xtd_image
Content - ITPShare
Editor - JCE
plg_authentication_joomla
plg_extension_joomla
plg_user_joomla
plg_quickicon_joomlaupdate
System - Jquery
plg_content_loadmodule
plg_system_log
plg_system_logout
AcyMailing Manage text
plg_finder_newsfeeds
plg_search_newsfeeds
plg_editors_none
AcyMailing Tag : Website links
plg_system_p3p
plg_content_pagebreak
plg_editors-xtd_pagebreak
plg_content_pagenavigation
plg_editors-xtd_readmore
plg_captcha_recaptcha
plg_system_redirect
AcyMailing : (auto)Subscribe during Joomla registration
plg_system_remember
System - RokExtender
plg_system_sef
AcyMailing : share on social networks
SIGE
AcyMailing : Statistics Plugin
AcyMailing table of contents generator
AcyMailing Tag : content insertion
AcyMailing Tag : Subscriber information
AcyMailing Tag : Manage the Subscription
AcyMailing Tag : Date / Time
AcyMailing Tag : Joomla User Information
AcyMailing Template Class Replacer
plg_editors_tinymce
plg_content_vote
plg_finder_weblinks
plg_search_weblinks
System - Shortcodes
Any ideas?
It's the editor (probably TinyMCE) that inserts these <p> tags. You should consider switching to "no editor" option (or another editor) - it can be set under "Global Configuration" screen, in the "Site" tab.
Also, in order to embed PHP code in your articles you should use a plugin such as DirectPHP.
Solved!!!
It was System - Shortcodes plugin of Zauan Shortcodes which distroyed my code.
Make sure that the textbox you created is not an RTF field.
If you use RTF field, then tags would be created automatically.
Am just learning html. I need to write code that solves the quadratic equation formula. I tried php code embeding in html but am getting blank output. How do I get user values a, b, c and display conditional answers?
Here's a simple example of what you need to do. First make a HTML form:
<form method="post" action="index.php">
<input type="text" name="a" value="Enter 'a'" />
<input type="text" name="b" value="Enter 'b'" />
<input type="text" name="c" value="Enter 'c'" />
<input type="submit" name='calc' value="Calculate" />
</form>
There is your form. Now the calculations:
<?php
// Check if the form is submitted
if (isset($_POST['calc'])) {
//assign variables
$a = $_POST['a'];
$b = $_POST['b'];
$c = $_POST['c'];
//after assigning variables you can calculate your equation
$d = $b * $b - (4 * $a * $c);
$x1 = (-$b + sqrt($d)) / (2 * $a);
$x2 = (-$b - sqrt($d)) / (2 * $a);
echo "x<sub>1</sub> = {$x1} and x<sub>2</sub> = {$x2}";
} else {
// here you can put your HTML form
}
?>
You need to do more checks on it, but as I said before this is a simple example.
Edit: learn from the source , the official php site: http://php.net/manual/en/tutorial.forms.php
1.Create a form with the fields you want. <form method='post' ....>...</form>
2.The user submit the form and then write a PHP code which get the posted data ($_POST)
and manipulate it according to the quadratic equation formula.
3.Echo the result.
I have smaller example.
This file sends data from form to itself. When it sends something - result of condition
$_SERVER['REQUEST_METHOD']=='POST'
is true. If its true - server process code in "if" block. It assigns data sent from form to 2 variables, then adds them and store in "$sum" variable. Result is displayed.
<html>
<body>
<form method="POST">
<p>
A: <br />
<input name="number_a" type="text"></input>
</p>
<p>B: <br />
<input name="number_b" type="text"></input>
</p>
<p>
<input type="submit"/>
</p>
</form>
<?php
if ($_SERVER['REQUEST_METHOD']=='POST') // process "if block", if form was sumbmitted
{
$a = $_POST['number_a'] ; // get first number form data sent by form to that file itself
$b = $_POST['number_b'] ; // get second number form data sent by form to that file itself
$sum = $a + $b; // calculate something
echo "A+B=" . $sum; // print this to html source, use "." (dot) for append text to another text/variable
}
?>
</body>
</html>
You need PHP server to test/use this! PHP file must be processed by web server, which creates page. Opening php file from disk will not work. If you need more explanations - ask for it in comments.
My homepage pulls in content from my MySQL database to create a blog. I've got it so that it only displays an extract from the posts. For some reason it displays HTML tags as well rather than formatting it using the tags (See picture below).
Any help is appreciated.
Homepage:
<html>
<head>
<title>Ultan Casey | Homepage</title>
<link rel="stylesheet" href="css/style.css" type="text/css" />
</head>
<body>
<div class="wrapper">
<div id="upperbar">
Home
About Me
Contact Me
Twitter
<form id="search-form" action="/search" method="get">
<input type="text" id="textarea" size="33" name="q" value=""/>
<input type="submit" id="submit" value="Search"/>
</form>
</div>
<div id="banner">
<img src="images/banner.jpg">
</div>
<div class="sidebar"></div>
<div class="posts">
<?php
mysql_connect ('localhost', 'root', 'root') ;
mysql_select_db ('tmlblog');
$sql = "SELECT * FROM php_blog ORDER BY timestamp DESC LIMIT 5";
$result = mysql_query($sql) or print ("Can't select entries from table php_blog.<br />" . $sql . "<br />" . mysql_error());
while($row = mysql_fetch_array($result)) {
$date = date("l F d Y", $row['timestamp']);
$title = stripslashes($row['title']);
$entry = stripslashes($row['entry']);
$id = $row['id'];
?>
<?php echo "<p id='title'><strong>" . $title . "</strong></p>"; ?><br />
<div class="post-thumb"><img src="thumbs/<?php echo $id ?>.png"></div>
<?php echo htmlspecialchars(substr($entry, 0, 1050)) ?>...
<br>
<hr><br />
Posted on <?php echo $date; ?>
</p>
</div>
</div>
</p
<?php
}
?>
</div>
</div>
</div>
</body>
</html>
Image:
You're passing your post through htmlspecialchars, which encodes < as < and > as >, among other things. This means they display as < and > instead of being parsed as html tags.
The whole point of htmlspecialchars is to produce text that's inert in HTML... to make it display as-is.
A better way to do this is to NOT store <br /> (or any other html) in your post. Instead, use regular line breaks, and echo nl2br(htmlspecialchars($text)) into your page.
If you absolutely need to allow html, you might consider something like HTML Purifier to handle escaping nasty stuff, in which case you'd skip the htmlspecialchars call. Just beware: It's not a good idea to write your own filter to stop malicious code when displaying user-supplied HTML.
echo substr($entry, 0, 1050)