jekillen Posted December 5, 2015 Share Posted December 5, 2015 I have developed a web based file editor that loads text file contents into a textarea element for raw display and editing. However there are problems with this: 1: any closing textarea tag forward slash has to be escaped: <\/textarea> other wise the browser goes berzerk and smears code and markup all over the place. 2: The browser will remove escapes when the content is posted, so all escapes have to be doubled: <\\/textarea>, then the extra escape has to be added by code when the file content is loaded into the textarea for edit. That means: generally inside pre tags and in modal dialogs when the text string is composed by javascript code. Or, in strings precomposed and printed/echoed by php in html markup. new line sequences E.G. '\n' or '\n\r' Also: double quotes E.G. " \" \" " single quotes E.G. ' \'\' ' apostrophes inside of single quotes E.G. ' can\'t ' And regular expressions in code and etc. My question is: How to detect and escape backslashes in any circumstance? Would this be less of a problem with wiki editing? (any developers working on this forum have any tips?) Here is what I have so far: (naming variables with $_varName is just my style) // </textArea> being the only html tag with 'text' in the name $_fileStr = str_replace('</text', '<\\\/text', $_fileStr);$_fileStr = str_replace('\n', '\\\\n', $_fileStr);$_fileStr = str_replace('\"', '\\\\"', $_fileStr); $_fileStr = str_replace('\'', "\\\\'", $_fileStr); But: $_fileStr = str_replace('\', "\\\\", $_fileStr); Appears to cause my BBedit text editor syntax color coding to break down and I assume it will not fly with the php interpreter either. Link to comment Share on other sites More sharing options...
Ingolme Posted December 6, 2015 Share Posted December 6, 2015 All you really need to do to prevent anything from breaking the textarea is to encode it using htmlspecialchars() http://php.net/html_special_chars <?php $content = '<html> tags and </textarea> that could potentially break things'; ?> <textarea><?php echo htmlspecialchars($content); ?></textarea> Link to comment Share on other sites More sharing options...
redtree Posted December 7, 2015 Share Posted December 7, 2015 Have you considered a simple text editor like TinyMCE. This si very easy implement and give you a lot more optoins for editing the text Link to comment Share on other sites More sharing options...
COBOLdinosaur Posted December 8, 2015 Share Posted December 8, 2015 For the new line sequences just replace them with PHP_EOL which not only eliminates the backslash problem for new lines but also eliminates cross-platform issuses. Link to comment Share on other sites More sharing options...
jekillen Posted December 15, 2015 Author Share Posted December 15, 2015 So, if I use 'htmlspecialchars($content)' will I have to contend with the special chars once the file contents are visible and editable in the form textarea? Is TinyMCE a completely html/php text editor? My reason for doing this is because of ownership issues when php is used to create files, directories, edit files, upload content, copy content, etc. My aim is to create a custom content managment system that can be completely used via a web interface, not needing ftp access. Because it is content management it will be strictly limited to registered admin users. The core and foundation of this system is an html/javascript/php app that emulates a terminal, in that it will produce a directory listing base on user specification. The listing will produce a list similar to using ls -la in a unix shell, with the added feature of producing the octal version of rwx perms for owner group and others. It has a set of functions to do things such as change perms remove, move, create files and dirs, edit (the subject of this post), and turn over ( copy ftp user owned content, then remove the user owned version of the copied content). The text editor: can be opened from the terminal app in a javascript window.open call or opened directly from an anchor tag. A file system browser which is both stand alone and also used via call to javascript window.open from terminal app and editor. In the terminal app, the browser can be used to select items that are not visible in the currently listed content. For instance, for moving, one would choose the file or dir to move and the directory to move it to. In the editor, the browser can be used to designate that path to a new file, select a file to open and for use in save as for designating a different directory to place the saved as file. There are other facilities I am working on, such as selecting files to create a zip archive, creating the zip archive, unzipping uploaded zip files and designating what directory to place uploaded files (another use of the file browser), and selecting files and packages to download. The file browser works roughly like an operating system file browser app that would appear when on saves or opens a file in an app running on the host OS. It has two modes of operation. One is to list all the directories in the initial left most column. Each dir listing has a radio button next to it that is make into a submit button via javascript and initiates an ajax request for a listing of only the files in that directory. These secondary listings can be done in any order so a user can compare the contents of one dir with a different dir, side by side. The secondary listings can also be removed one at a time in any order. The second display mode is to display only the top directory with all its contained files and directories. Clicking on a radio next to a directory listing will produce a secondary listing of that directory and all of its file and directory contents. As before the secondary listings can be produce in any order and remove in any order. Am I re inventing the wheel? Or are there features here that don't exist in any other web CMS system? I don't know, I am retired, now, and not having secured work in the development field inspite of over ten years of self guided learning and developing. Instead of alchohol consumption or computer games, I sit around dreaming up reasons to program. I think of apps and features and figure out how I would get them to work. I have nothing to sell or solicit for here: www.jekillen.com Link to comment Share on other sites More sharing options...
justsomeguy Posted December 15, 2015 Share Posted December 15, 2015 So, if I use 'htmlspecialchars($content)' will I have to contend with the special chars once the file contents are visible and editable in the form textarea? It would be worthwhile to test that and print various strings into textareas to see what gets printed. Is TinyMCE a completely html/php text editor?TinyMCE runs on the browser using HTML and Javascript, it doesn't run on the server. The features you describe are actually common in various malicious backdoor scripts, where people try to find a vulnerability that allows them to upload a file and they upload one which provides filesystem access, console or shell access, etc. Other than that, I'm not sure about a CMS with those features. Because of the potential for abuse, security is pretty important in a project like that. Link to comment Share on other sites More sharing options...
COBOLdinosaur Posted December 15, 2015 Share Posted December 15, 2015 I have spent a very large part of my 50 years programming specializing in security. If you managed to develop what you describe, I would not let it anywhere near any system I was responsible for because it on the lavel of security as a burglar with the keys to your house and car. If you are going to try and develop a CMS, then you need to start by learning the all things you have to defend against for security. Oh and you need to keep up, because there are hacker groups down on the darknet pouring out new threats on a daily basis. Link to comment Share on other sites More sharing options...
john_jack Posted December 16, 2015 Share Posted December 16, 2015 how bout http://php.net/manual/en/function.addslashes.php and http://php.net/manual/en/function.stripslashes.php they might do it for you! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now