Avoiding htmlspecialchars()

Discussion forum for Extension Writers regarding Extension Development.
Post Reply
User avatar
MarkDHamill
Registered User
Posts: 3940
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Avoiding htmlspecialchars()

Post by MarkDHamill » Fri Oct 11, 2019 9:53 pm

EPV flags the use of htmlspecialchars() in my Smartfeed extension as an error.
Error: Using htmlspecialchars on line 974 in /controller/feed.php
Is there a workaround? I think in the past the extension review team gave it a waiver. Since I am outputting XML in my extension, it's kind of hard not to use. Example:

Code: Select all

						$link = htmlspecialchars($board_url . 'ucp.' . $this->phpEx . '?i=pm&mode=view&f=0&p=' . $row['msg_id']);
Get the latest versions of my Digests and Smartfeed extensions.
Need phpBB services or a phpBB consultant? I offer most phpBB services.

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 25454
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Avoiding htmlspecialchars()

Post by Paul » Fri Oct 11, 2019 9:58 pm

That epv gives an message doesn't mean it will get denied. It will just warn us that we need to look at something and make a decision based on that.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

User avatar
AbaddonOrmuz
Registered User
Posts: 712
Joined: Wed Dec 25, 2013 9:06 pm
Location: /dev/null
Name: Alfredo Ramos
Contact:

Re: Avoiding htmlspecialchars()

Post by AbaddonOrmuz » Fri Oct 11, 2019 10:04 pm

You could use the wrapper utf8_htmlspecialchars() to fix that warning.

https://github.com/phpbb/phpbb/blob/3.2 ... 1344-L1350
Some of my phpBB extensions: [ Imgur | SEO Metadata | Markdown ]
Check out all my extensions
Arch Linux user

User avatar
MarkDHamill
Registered User
Posts: 3940
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Avoiding htmlspecialchars()

Post by MarkDHamill » Fri Oct 11, 2019 10:55 pm

AbaddonOrmuz wrote:
Fri Oct 11, 2019 10:04 pm
You could use the wrapper utf8_htmlspecialchars() to fix that warning.

https://github.com/phpbb/phpbb/blob/3.2 ... 1344-L1350
Thanks. This looks like a reasonable solution. It still gives one error in the function, but that's an improvement on many.
Get the latest versions of my Digests and Smartfeed extensions.
Need phpBB services or a phpBB consultant? I offer most phpBB services.

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 25454
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Avoiding htmlspecialchars()

Post by Paul » Sat Oct 12, 2019 7:03 am

No, please don't and just ignore the epv warning. It won't be denied for it.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

User avatar
mrgoldy
Jr. Extension Validator
Posts: 1178
Joined: Tue Oct 06, 2009 7:34 pm
Location: The Netherlands
Name: Gijs
Contact:

Re: Avoiding htmlspecialchars()

Post by mrgoldy » Sat Oct 12, 2019 2:58 pm

Out of curiousity, what needs to be escaped in the URL in the first place?
There is the base domain name (with potential subfolders), okay, but they should already be valid.
Then you have the regular link and add a message id, which sounds like it is an integer.

User avatar
MarkDHamill
Registered User
Posts: 3940
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Avoiding htmlspecialchars()

Post by MarkDHamill » Sat Oct 12, 2019 3:06 pm

Mostly it's URLs where the & must be change to & for key/value pairs. When the feed is validated, it won't pass validation unless these are changed. Much of the content is placed inside of CDATA sections which gives an escape from the rules. The feed title also needs entities replaced.
Get the latest versions of my Digests and Smartfeed extensions.
Need phpBB services or a phpBB consultant? I offer most phpBB services.

User avatar
3Di
Former Team Member
Posts: 14346
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Avoiding htmlspecialchars()

Post by 3Di » Sat Oct 12, 2019 8:49 pm

Code: Select all

$link = $board_url . 'ucp.' . $this->phpEx . '?i=pm&mode=view&f=0&p=' . $row['msg_id'];
$link = htmlentities($link , ENT_QUOTES, 'UTF-8');
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

User avatar
MarkDHamill
Registered User
Posts: 3940
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Avoiding htmlspecialchars()

Post by MarkDHamill » Sat Oct 12, 2019 8:57 pm

I assume this does not trigger EPV errors.
Get the latest versions of my Digests and Smartfeed extensions.
Need phpBB services or a phpBB consultant? I offer most phpBB services.

User avatar
3Di
Former Team Member
Posts: 14346
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Avoiding htmlspecialchars()

Post by 3Di » Sat Oct 12, 2019 9:02 pm

You can try, if it does just ignore those errors as Paul said. EPV can be used online to check your default branch, did you know?
I think htmlentities() is the right function to be used here, for your use case.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

User avatar
MarkDHamill
Registered User
Posts: 3940
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Avoiding htmlspecialchars()

Post by MarkDHamill » Sat Oct 12, 2019 9:24 pm

I have downloaded EPV and checked it locally. I haven't tried it with this change. It would seem strange if it were allowed and htmlspecialchars were not, since I don't see much difference between them.
Get the latest versions of my Digests and Smartfeed extensions.
Need phpBB services or a phpBB consultant? I offer most phpBB services.

User avatar
3Di
Former Team Member
Posts: 14346
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Avoiding htmlspecialchars()

Post by 3Di » Sat Oct 12, 2019 9:49 pm

MarkDHamill wrote:
Sat Oct 12, 2019 9:24 pm
I don't see much difference between them.
I honestly do.
htmlentities — Convert all applicable characters to HTML entities
htmlspecialchars — Convert special characters to HTML entities

Performed translations

Character Replacement
& (ampersand) &
" (double quote) ", unless ENT_NOQUOTES is set
' (single quote) ' (for ENT_HTML401) or ' (for ENT_XML1, ENT_XHTML or ENT_HTML5), but only when ENT_QUOTES is set
< (less than) &lt;
> (greater than) &gt;
MarkDHamill wrote:
Sat Oct 12, 2019 9:24 pm
I have downloaded EPV and checked it locally. I haven't tried it with this change.
Sorry but I don't see a reason to be arguing about something if it hasn't been tested first. :)
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

User avatar
MarkDHamill
Registered User
Posts: 3940
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Avoiding htmlspecialchars()

Post by MarkDHamill » Sun Oct 13, 2019 12:51 am

I wasn't arguing, I just didn't have a chance to test it out. htmlentities() does not trigger an EPV error and doesn't appear on initial testing to cause any issues with feed validation. Presumably htmlspecialchars() was flagged by EPV for a reason. Maybe htmlentities() should have been too. Not sure what the criteria is for being included as a flag by EPV.
Get the latest versions of my Digests and Smartfeed extensions.
Need phpBB services or a phpBB consultant? I offer most phpBB services.

User avatar
3Di
Former Team Member
Posts: 14346
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Avoiding htmlspecialchars()

Post by 3Di » Sun Oct 13, 2019 12:58 am

I was meant to say "discuss" which according to my dictionary means the same thing, in the present context, as per
"why discuss some thing not yet tried?" Sure thing I am not a native speaker as you know.

Image

Anyway, the EPV questions are for someone else to answer. :)
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 25454
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Avoiding htmlspecialchars()

Post by Paul » Sun Oct 13, 2019 1:14 am

MarkDHamill wrote:
Sat Oct 12, 2019 8:57 pm
I assume this does not trigger EPV errors.
Like said before, it is not directly a bad thing if epv triggers something. You should just keep using htmlspecialchars if that does what you require.

The reason htmlspecialchars is checked is that you don't want have it called on that from the request class, as htmlspecialchars is already called in there. Any other usage of htmlspecialchars are fine.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

Post Reply

Return to “Extension Writers Discussion”