Editing text in textArea element?

[jekillen]

I have developed a web based file editor that loads text file contents into

a textarea element for raw display and editing.

 

However there are problems with this:

 

1: any closing textarea tag forward slash has to be escaped: <\/textarea>

other wise the browser goes berzerk and smears code and markup all over

the place.

 

2: The browser will remove escapes when the content is posted, so all escapes

have to be doubled: <\\/textarea>, then the extra escape has to be added by code

when the file content is loaded into the textarea for edit.

 

That means:

generally inside pre tags and in modal dialogs when the text string is composed by

javascript code. Or, in strings precomposed and printed/echoed by php in html markup.

new line sequences E.G. '\n' or '\n\r'

Also:

double quotes E.G. " \" \" "

single quotes E.G. ' \'\' '

apostrophes inside of single quotes E.G. ' can\'t '

And regular expressions in code and etc.

 

My question is:

How to detect and escape backslashes in any circumstance?

 

Would this be less of a problem with wiki editing?

(any developers working on this forum have any tips?)

 

Here is what I have so far: (naming variables with $_varName is just my style)

// </textArea> being the only html tag with 'text' in the name

$_fileStr = str_replace('</text', '<\\\/text', $_fileStr);
$_fileStr = str_replace('\n', '\\\\n', $_fileStr);
$_fileStr = str_replace('\"', '\\\\"', $_fileStr);

$_fileStr = str_replace('\'', "\\\\'", $_fileStr);

 

But:

$_fileStr = str_replace('\', "\\\\", $_fileStr);

Appears to cause my BBedit text editor syntax color coding to break down

and I assume it will not fly with the php interpreter either.

[Ingolme]

All you really need to do to prevent anything from breaking the textarea is to encode it using htmlspecialchars() http://php.net/html_special_chars

<?php
$content = '<html> tags and </textarea> that could potentially break things';
?>
<textarea><?php echo htmlspecialchars($content); ?></textarea>

[redtree]

Have you considered a simple text editor like TinyMCE. This si very easy implement and give you a lot more optoins for editing the text

[COBOLdinosaur]

For the new line sequences just replace them with PHP_EOL which not only eliminates the backslash problem for new lines but also eliminates cross-platform issuses.

[jekillen]

So, if I use 'htmlspecialchars($content)' will I have to contend with the special chars once the file contents are visible and editable

in the form textarea?

 

Is TinyMCE a completely html/php text editor? My reason for doing this is because of ownership issues when php is used

to create files, directories, edit files, upload content, copy content, etc. My aim is to create a custom content managment system that can be completely used via a web interface, not needing ftp access. Because it is content management it will be strictly limited to registered admin users.

 

The core and foundation of this system is an html/javascript/php app that emulates a terminal, in that it will produce a directory

listing base on user specification. The listing will produce a list similar to using ls -la in a unix shell, with the added feature of

producing the octal version of rwx perms for owner group and others. It has a set of functions to do things such as change perms

remove, move, create files and dirs, edit (the subject of this post), and turn over ( copy ftp user owned content, then remove the

user owned version of the copied content).

The text editor: can be opened from the terminal app in a javascript window.open call or opened directly from an anchor tag.

A file system browser which is both stand alone and also used via call to javascript window.open from terminal app and editor.

In the terminal app, the browser can be used to select items that are not visible in the currently listed content. For instance, for

moving, one would choose the file or dir to move and the directory to move it to.

In the editor, the browser can be used to designate that path to a new file, select a file to open and for use in save as for

designating a different directory to place the saved as file.

There are other facilities I am working on, such as selecting files to create a zip archive, creating the zip archive, unzipping

uploaded zip files and designating what directory to place uploaded files (another use of the file browser), and selecting

files and packages to download.

The file browser works roughly like an operating system file browser app that would appear when on saves or opens a file

in an app running on the host OS. It has two modes of operation. One is to list all the directories in the initial left most column.

Each dir listing has a radio button next to it that is make into a submit button via javascript and initiates an ajax request for a

listing of only the files in that directory. These secondary listings can be done in any order so a user can compare the contents

of one dir with a different dir, side by side. The secondary listings can also be removed one at a time in any order.

The second display mode is to display only the top directory with all its contained files and directories. Clicking on a radio next

to a directory listing will produce a secondary listing of that directory and all of its file and directory contents. As before the

secondary listings can be produce in any order and remove in any order.

 

Am I re inventing the wheel? Or are there features here that don't exist in any other web CMS system? I don't know, I am retired,

now, and not having secured work in the development field inspite of over ten years of self guided learning and developing. Instead

of alchohol consumption or computer games, I sit around dreaming up reasons to program. I think of apps and features and figure

out how I would get them to work.

 

I have nothing to sell or solicit for here:

www.jekillen.com

[justsomeguy]

So, if I use 'htmlspecialchars($content)' will I have to contend with the special chars once the file contents are visible and editable

in the form textarea?

It would be worthwhile to test that and print various strings into textareas to see what gets printed.

 

Is TinyMCE a completely html/php text editor?

TinyMCE runs on the browser using HTML and Javascript, it doesn't run on the server.

 

The features you describe are actually common in various malicious backdoor scripts, where people try to find a vulnerability that allows them to upload a file and they upload one which provides filesystem access, console or shell access, etc. Other than that, I'm not sure about a CMS with those features. Because of the potential for abuse, security is pretty important in a project like that.

[COBOLdinosaur]

I have spent a very large part of my 50 years programming specializing in security. If you managed to develop what you describe, I would not let it anywhere near any system I was responsible for because it on the lavel of security as a burglar with the keys to your house and car. If you are going to try and develop a CMS, then you need to start by learning the all things you have to defend against for security. Oh and you need to keep up, because there are hacker groups down on the darknet pouring out new threats on a daily basis.

[john_jack]

how bout http://php.net/manual/en/function.addslashes.php and http://php.net/manual/en/function.stripslashes.php

 

they might do it for you!