Page 1 of 1

Avoiding htmlspecialchars()

Posted: Fri Oct 11, 2019 9:53 pm
by MarkDHamill
EPV flags the use of htmlspecialchars() in my Smartfeed extension as an error.
Error: Using htmlspecialchars on line 974 in /controller/feed.php
Is there a workaround? I think in the past the extension review team gave it a waiver. Since I am outputting XML in my extension, it's kind of hard not to use. Example:

Code: Select all

						$link = htmlspecialchars($board_url . 'ucp.' . $this->phpEx . '?i=pm&mode=view&f=0&p=' . $row['msg_id']);

Re: Avoiding htmlspecialchars()

Posted: Fri Oct 11, 2019 9:58 pm
by Paul
That epv gives an message doesn't mean it will get denied. It will just warn us that we need to look at something and make a decision based on that.

Re: Avoiding htmlspecialchars()

Posted: Fri Oct 11, 2019 10:04 pm
by AbaddonOrmuz
You could use the wrapper utf8_htmlspecialchars() to fix that warning.

https://github.com/phpbb/phpbb/blob/3.2 ... 1344-L1350

Re: Avoiding htmlspecialchars()

Posted: Fri Oct 11, 2019 10:55 pm
by MarkDHamill
AbaddonOrmuz wrote:
Fri Oct 11, 2019 10:04 pm
You could use the wrapper utf8_htmlspecialchars() to fix that warning.

https://github.com/phpbb/phpbb/blob/3.2 ... 1344-L1350
Thanks. This looks like a reasonable solution. It still gives one error in the function, but that's an improvement on many.

Re: Avoiding htmlspecialchars()

Posted: Sat Oct 12, 2019 7:03 am
by Paul
No, please don't and just ignore the epv warning. It won't be denied for it.

Re: Avoiding htmlspecialchars()

Posted: Sat Oct 12, 2019 2:58 pm
by mrgoldy
Out of curiousity, what needs to be escaped in the URL in the first place?
There is the base domain name (with potential subfolders), okay, but they should already be valid.
Then you have the regular link and add a message id, which sounds like it is an integer.

Re: Avoiding htmlspecialchars()

Posted: Sat Oct 12, 2019 3:06 pm
by MarkDHamill
Mostly it's URLs where the & must be change to & for key/value pairs. When the feed is validated, it won't pass validation unless these are changed. Much of the content is placed inside of CDATA sections which gives an escape from the rules. The feed title also needs entities replaced.

Re: Avoiding htmlspecialchars()

Posted: Sat Oct 12, 2019 8:49 pm
by 3Di

Code: Select all

$link = $board_url . 'ucp.' . $this->phpEx . '?i=pm&mode=view&f=0&p=' . $row['msg_id'];
$link = htmlentities($link , ENT_QUOTES, 'UTF-8');

Re: Avoiding htmlspecialchars()

Posted: Sat Oct 12, 2019 8:57 pm
by MarkDHamill
I assume this does not trigger EPV errors.

Re: Avoiding htmlspecialchars()

Posted: Sat Oct 12, 2019 9:02 pm
by 3Di
You can try, if it does just ignore those errors as Paul said. EPV can be used online to check your default branch, did you know?
I think htmlentities() is the right function to be used here, for your use case.

Re: Avoiding htmlspecialchars()

Posted: Sat Oct 12, 2019 9:24 pm
by MarkDHamill
I have downloaded EPV and checked it locally. I haven't tried it with this change. It would seem strange if it were allowed and htmlspecialchars were not, since I don't see much difference between them.

Re: Avoiding htmlspecialchars()

Posted: Sat Oct 12, 2019 9:49 pm
by 3Di
MarkDHamill wrote:
Sat Oct 12, 2019 9:24 pm
I don't see much difference between them.
I honestly do.
htmlentities — Convert all applicable characters to HTML entities
htmlspecialchars — Convert special characters to HTML entities

Performed translations

Character Replacement
& (ampersand) &
" (double quote) ", unless ENT_NOQUOTES is set
' (single quote) ' (for ENT_HTML401) or ' (for ENT_XML1, ENT_XHTML or ENT_HTML5), but only when ENT_QUOTES is set
< (less than) &lt;
> (greater than) &gt;
MarkDHamill wrote:
Sat Oct 12, 2019 9:24 pm
I have downloaded EPV and checked it locally. I haven't tried it with this change.
Sorry but I don't see a reason to be arguing about something if it hasn't been tested first. :)

Re: Avoiding htmlspecialchars()

Posted: Sun Oct 13, 2019 12:51 am
by MarkDHamill
I wasn't arguing, I just didn't have a chance to test it out. htmlentities() does not trigger an EPV error and doesn't appear on initial testing to cause any issues with feed validation. Presumably htmlspecialchars() was flagged by EPV for a reason. Maybe htmlentities() should have been too. Not sure what the criteria is for being included as a flag by EPV.

Re: Avoiding htmlspecialchars()

Posted: Sun Oct 13, 2019 12:58 am
by 3Di
I was meant to say "discuss" which according to my dictionary means the same thing, in the present context, as per
"why discuss some thing not yet tried?" Sure thing I am not a native speaker as you know.

Image

Anyway, the EPV questions are for someone else to answer. :)

Re: Avoiding htmlspecialchars()

Posted: Sun Oct 13, 2019 1:14 am
by Paul
MarkDHamill wrote:
Sat Oct 12, 2019 8:57 pm
I assume this does not trigger EPV errors.
Like said before, it is not directly a bad thing if epv triggers something. You should just keep using htmlspecialchars if that does what you require.

The reason htmlspecialchars is checked is that you don't want have it called on that from the request class, as htmlspecialchars is already called in there. Any other usage of htmlspecialchars are fine.