Avoiding htmlspecialchars()

Discussion forum for Extension Writers regarding Extension Development.
Post Reply
User avatar
MarkDHamill
Registered User
Posts: 4280
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Avoiding htmlspecialchars()

Post by MarkDHamill »

EPV flags the use of htmlspecialchars() in my Smartfeed extension as an error.
Error: Using htmlspecialchars on line 974 in /controller/feed.php
Is there a workaround? I think in the past the extension review team gave it a waiver. Since I am outputting XML in my extension, it's kind of hard not to use. Example:

Code: Select all

						$link = htmlspecialchars($board_url . 'ucp.' . $this->phpEx . '?i=pm&mode=view&f=0&p=' . $row['msg_id']);
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 26841
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Avoiding htmlspecialchars()

Post by Paul »

That epv gives an message doesn't mean it will get denied. It will just warn us that we need to look at something and make a decision based on that.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development
User avatar
AbaddonOrmuz
Recognised Extension Developer
Posts: 1001
Joined: Wed Dec 25, 2013 9:06 pm
Location: /dev/null
Name: Alfredo
Contact:

Re: Avoiding htmlspecialchars()

Post by AbaddonOrmuz »

You could use the wrapper utf8_htmlspecialchars() to fix that warning.

https://github.com/phpbb/phpbb/blob/3.2 ... 1344-L1350
Some of my phpBB extensions:
Image Imgur | :chart_with_upwards_trend: SEO Metadata | Image Markdown | :lock: Auto-lock Topics
:trophy: Check out all my validated extensions :trophy:

:penguin: Arch Linux user :penguin:
User avatar
MarkDHamill
Registered User
Posts: 4280
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Avoiding htmlspecialchars()

Post by MarkDHamill »

AbaddonOrmuz wrote:
Fri Oct 11, 2019 10:04 pm
You could use the wrapper utf8_htmlspecialchars() to fix that warning.

https://github.com/phpbb/phpbb/blob/3.2 ... 1344-L1350
Thanks. This looks like a reasonable solution. It still gives one error in the function, but that's an improvement on many.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 26841
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Avoiding htmlspecialchars()

Post by Paul »

No, please don't and just ignore the epv warning. It won't be denied for it.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development
User avatar
mrgoldy
Development Team Member
Development Team Member
Posts: 1392
Joined: Tue Oct 06, 2009 7:34 pm
Location: The Netherlands
Name: Gijs
Contact:

Re: Avoiding htmlspecialchars()

Post by mrgoldy »

Out of curiousity, what needs to be escaped in the URL in the first place?
There is the base domain name (with potential subfolders), okay, but they should already be valid.
Then you have the regular link and add a message id, which sounds like it is an integer.
phpBB Studio / Member of the Studio

Contributing: You can do it too! Including testing Pull Requests (PR).
phpBB Development and Testing made easy.
User avatar
MarkDHamill
Registered User
Posts: 4280
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Avoiding htmlspecialchars()

Post by MarkDHamill »

Mostly it's URLs where the & must be change to & for key/value pairs. When the feed is validated, it won't pass validation unless these are changed. Much of the content is placed inside of CDATA sections which gives an escape from the rules. The feed title also needs entities replaced.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
User avatar
3Di
Former Team Member
Posts: 16038
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Avoiding htmlspecialchars()

Post by 3Di »

Code: Select all

$link = $board_url . 'ucp.' . $this->phpEx . '?i=pm&mode=view&f=0&p=' . $row['msg_id'];
$link = htmlentities($link , ENT_QUOTES, 'UTF-8');
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
Looking for a specific feature or alternative option? We will rock you! 🚀
User avatar
MarkDHamill
Registered User
Posts: 4280
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Avoiding htmlspecialchars()

Post by MarkDHamill »

I assume this does not trigger EPV errors.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
User avatar
3Di
Former Team Member
Posts: 16038
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Avoiding htmlspecialchars()

Post by 3Di »

You can try, if it does just ignore those errors as Paul said. EPV can be used online to check your default branch, did you know?
I think htmlentities() is the right function to be used here, for your use case.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
Looking for a specific feature or alternative option? We will rock you! 🚀
User avatar
MarkDHamill
Registered User
Posts: 4280
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Avoiding htmlspecialchars()

Post by MarkDHamill »

I have downloaded EPV and checked it locally. I haven't tried it with this change. It would seem strange if it were allowed and htmlspecialchars were not, since I don't see much difference between them.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
User avatar
3Di
Former Team Member
Posts: 16038
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Avoiding htmlspecialchars()

Post by 3Di »

MarkDHamill wrote:
Sat Oct 12, 2019 9:24 pm
I don't see much difference between them.
I honestly do.
htmlentities — Convert all applicable characters to HTML entities
htmlspecialchars — Convert special characters to HTML entities

Performed translations

Character Replacement
& (ampersand) &
" (double quote) ", unless ENT_NOQUOTES is set
' (single quote) ' (for ENT_HTML401) or ' (for ENT_XML1, ENT_XHTML or ENT_HTML5), but only when ENT_QUOTES is set
< (less than) &lt;
> (greater than) &gt;
MarkDHamill wrote:
Sat Oct 12, 2019 9:24 pm
I have downloaded EPV and checked it locally. I haven't tried it with this change.
Sorry but I don't see a reason to be arguing about something if it hasn't been tested first. :)
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
Looking for a specific feature or alternative option? We will rock you! 🚀
User avatar
MarkDHamill
Registered User
Posts: 4280
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Avoiding htmlspecialchars()

Post by MarkDHamill »

I wasn't arguing, I just didn't have a chance to test it out. htmlentities() does not trigger an EPV error and doesn't appear on initial testing to cause any issues with feed validation. Presumably htmlspecialchars() was flagged by EPV for a reason. Maybe htmlentities() should have been too. Not sure what the criteria is for being included as a flag by EPV.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
User avatar
3Di
Former Team Member
Posts: 16038
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Avoiding htmlspecialchars()

Post by 3Di »

I was meant to say "discuss" which according to my dictionary means the same thing, in the present context, as per
"why discuss some thing not yet tried?" Sure thing I am not a native speaker as you know.

Image

Anyway, the EPV questions are for someone else to answer. :)
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
Looking for a specific feature or alternative option? We will rock you! 🚀
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 26841
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Avoiding htmlspecialchars()

Post by Paul »

MarkDHamill wrote:
Sat Oct 12, 2019 8:57 pm
I assume this does not trigger EPV errors.
Like said before, it is not directly a bad thing if epv triggers something. You should just keep using htmlspecialchars if that does what you require.

The reason htmlspecialchars is checked is that you don't want have it called on that from the request class, as htmlspecialchars is already called in there. Any other usage of htmlspecialchars are fine.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development
Post Reply

Return to “Extension Writers Discussion”