1 Topic by MattF

  • MattF
  • Senior Member
  • Offline
  • From: South Yorkshire, England
  • Registered: 2007-03-15
  • Posts: 1,956

Topic: pun_htmlspecialchars

Just another quickie. big_smile What variables should the above generally be used upon? I know the page title is always done with it, but should other page headings and/or page displayed usernames be prepended by it also in the scripts?


Cheers,

Matt

MattF's Website

  • CodeXP
  • Senior Member
  • Offline
  • From: /dev/null
  • Registered: 2004-07-07
  • Posts: 503

Re: pun_htmlspecialchars

In general, you would be best served to use in on *all* user-submited data before displaying the page(s).

CodeXP's Website

3 Reply by MattF (edited by MattF 2007-06-10 14:07)

  • MattF
  • Senior Member
  • Offline
  • From: South Yorkshire, England
  • Registered: 2007-03-15
  • Posts: 1,956

Re: pun_htmlspecialchars

So it's better to be excessive in its use then? So usernames, filenames and every other thing they may have had a dabble in naming? big_smile


Cheers,

Matt

MattF's Website

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: pun_htmlspecialchars

Every place where you can't say with 100% certainty that the value will never contain HTML, etc
So, echoing an int stored in the database? Don't bother.
Echoing a string? Use it

5 Reply by MattF

  • MattF
  • Senior Member
  • Offline
  • From: South Yorkshire, England
  • Registered: 2007-03-15
  • Posts: 1,956

Re: pun_htmlspecialchars

Thanks. smile


Matt

MattF's Website

6 Reply by MattF (edited by MattF 2007-06-10 16:05)

  • MattF
  • Senior Member
  • Offline
  • From: South Yorkshire, England
  • Registered: 2007-03-15
  • Posts: 1,956

Re: pun_htmlspecialchars

Right, I know I said it was just a quickie, but............ big_smile

Would the following do what I expect? Just so I can use a shorthand method, if anybody's wondering. big_smile

function esanitise($cleanoutput)
{
global $db, $lang_common, $lang_forum, $lang_index, $pun_config, $pun_start, $tpl_main;

        echo pun_htmlspecialchars($cleanoutput);

}

I don't know if all those global bits are required? I just based this on the existing message() function.


Cheers again,

Matt

MattF's Website

7 Reply by MattF (edited by MattF 2007-06-10 16:05)

  • MattF
  • Senior Member
  • Offline
  • From: South Yorkshire, England
  • Registered: 2007-03-15
  • Posts: 1,956

Re: pun_htmlspecialchars

Just realised the downnfall of the above method. It does assume you want to echo the output. big_smile So, a secondary one like this:

function vsanitise($parseinput)
{
global $db, $lang_common, $lang_forum, $lang_index, $pun_config, $pun_start, $tpl_main;

        $cleanoutput = pun_htmlspecialchars($parseinput);

}

would make two functions that would suit for either cleaning and echoing the input, (example one), or making a variable from the input, (example two), that could be passed to the inscript variable?


Thanks again,

Matt

MattF's Website

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: pun_htmlspecialchars

You don't need the global line since you're using none of those variables.
For the second function, I think you want to return the value, not store it in a local variable
For both functions, why can't you simply call pun_htmlspecialchars when you need it, as opposed to wrapping it in a new function?

9 Reply by MattF

  • MattF
  • Senior Member
  • Offline
  • From: South Yorkshire, England
  • Registered: 2007-03-15
  • Posts: 1,956

Re: pun_htmlspecialchars

Smartys wrote:

You don't need the global line since you're using none of those variables.
For the second function, I think you want to return the value, not store it in a local variable

Cheers. smile


Smartys wrote:

For both functions, why can't you simply call pun_htmlspecialchars when you need it, as opposed to wrapping it in a new function?

Simple answer? Less to type. big_smile Don't like using copy and paste if possible, so I usually hand type everything.

MattF's Website