Firefox PHP

Custom Profile HTML characters constantly formatted out

Posted by Joe Curia 
Custom Profile HTML characters constantly formatted out
July 29, 2008 02:54AM
I have been debugging an issue which was brought to my attention in my Enhanced Custom Profiles module thread. However, it now appears to be an issue with the way all custom profiles are handled, with or without my mod.

If a custom profile field is set "HTML disabled" = Yes and an special character (ie "&") is entered, that character will be saved properly the first time. However, the next time another custom profile field is saved from a different control center page all of the custom profile fields are updated. This would be ok but the other fields are updated with information taken from the phourm_api_get_user() function. This function grabs the custom profile fields using the htmlspecialchars() function, meaning that everytime the fields are updated, if that field is not in the $_POST, then it will have its html characters formatted out. Then end result is that "&" will become "&" the first time a different custom profile field is updated on a different page. The next time it will become "&", then "&" and so on because the & is continually formatted out.

I hope this makes sense. If not, I am more than willing to reword/redescribe the problem.


Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald




Edited 3 time(s). Last edit at 07/29/2008 03:43AM by Azumandias.
Re: Custom Profile HTML characters constantly formatted out
July 29, 2008 04:33AM
In testing I found that adding the green lines starting around line 428 in the ./include/api/user.php file solved the issue:
    // Check if we are handling an existing or new user.
    $existing = NULL;
    if ($user['user_id'] !== NULL) {
        $existing = phorum_api_user_get($user['user_id'], TRUE);
    }
    foreach ($existing as $e_name => $value) {
	    $chk_custom = phorum_api_custom_profile_field_byname($e_name);
	    if ($chk_custom !== NULL) {
		    $value = htmlspecialchars_decode($value);
		    $existing[$e_name] = $value;
	    }
    }
    // Create a user data array that is understood by the database layer.
    // We start out with the existing record, if we have one.
    $dbuser = $existing === NULL ? array() : $existing;

This is after the user data fields are pulled from the database, but before they merged with the new $_POST data. This should be a safe enough solution to the issue as it still allows the phorum_api_use_get() function to escape the html special characters for non-saving purposes but will not repeatedly escape the html characters while saving.


Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Re: Custom Profile HTML characters constantly formatted out
July 29, 2008 08:22AM
That might do the trick, but it is hardly a performance-friendly solution. We'll take a look at it.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Custom Profile HTML characters constantly formatted out
July 29, 2008 01:48PM
Your'e right, it would be a bit of a slowdown, but only when users are saved. Still, another though I had was to add a variable to the phorum_db_user_get() and phorum_api_user_get() functions set to $escape_html = TRUE which the phorum_api_user_save() function could set to false. This could be used in conjuction with the "html_disabled" check to not run htmlspecialchars() on the custom profile fields. However, this still runs into problems with the user cache. That may need to have the htmlspecialchars_decode() run.

Of course you devs know best, I am just trying to do some of the leg work for you. Feel free to take or leave it or tell me to shut up :-)


Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Re: Custom Profile HTML characters constantly formatted out
July 29, 2008 01:54PM
I thought about this additional switch too, but the user cache really gives a problem. maybe it needs to be more like "raw_data" which even ignores the user-cache which should be invalidated/refreshed anyway on save.

your solution has at least one problem, if a field is not html escaped but still contains encoded html that will be decoded and saved in decoded format too.


Thomas Seifert
Phorum Development Team / Mysnip-Solutions.de
Custom Phorum and general software development
worry-free Phorum Hosting
Re: Custom Profile HTML characters constantly formatted out
July 29, 2008 02:33PM
If the "raw_data" is used with the added switch to disable the use of htmlspecialchars() then there would be no need to run the htmlspecialchars_decode(). Your suggestion seems like the best one to me, admittedly a simple code monkey. :-)


Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Sorry, only registered users may post in this forum.

Click here to login