News Story Submittal Stripping Out HTML

New Member Joined: Jun 26, 2005 Posts: 12

Hmm... interesting problem here...

News Stories submitted are stripping out the html that is embedded in the story. This is happening when the user hits the submit button. It show up just fine in the preview. It is not stored in the database correctly when submitted. As admin, I can put the html tags back in when I post the story and they get saved correctly.

This is nuke 7.6 with patch 3.0b and sentinel applied. I have checked the allowed html in config.php and it seems to be correct. Actually, I havent changed it. I have another installation that the tags work correctly on. The submit_news module seems to strip out ALL html tags. Usually the only tags used are br, img and a href.

I have tried looking in the submit_news module in the submit function but it also appears to be unchanged and correct.

I must be missing something obvious that I will hate myself for later Sad

Any ideas or suggestions would be appreciated...

Mr Papa

Sells PC To Pay For Divorce Joined: Posts: 5661

well i suggest to delete it and upload a new submit news module..
we both have exactly the same and i dont have any problems..
also try to compare with your other site what settings are,what is allowed and what isnt.

Posted: Tue Aug 09, 2005 8:15 pm

Alright, I have fixed the problem, but I dont really understand why.

The problem (or at least the fix) was in the check_html routine inside the mainfile.php

Here is that code unaltered from the 7.6 version patched 3.0b from this site with Sentinel then installed:

Code:




function check_html ($str, $strip="") {


    /* The core of this code has been lifted from phpslash */


    /* which is licenced under the GPL. */


    if ($strip == "nohtml")


       global $AllowableHTML; 


       if (!is_array($AllowableHTML)) $AllowableHTML =array('');


   $str = stripslashes($str);


   $str = eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>",'<\\1>', $str);


           // Delete all spaces from html tags .


   $str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^\" >]*)[[:space:]]*\"?[^>]*>",'<a href="\\1">', $str);


           // Delete all attribs from Anchor, except an href, double quoted.


   $str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", '', $str);


       // Delete all img tags


   $str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?javascript[[:punct:]]*\"?[^>]*>", '', $str);


       // Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com


   $tmp = "";


   while (ereg("<(/?[[:alpha:]]*)[[:space:]]*([^>]*)>",$str,$reg)) {


      $i = strpos($str,$reg[0]);


      $l = strlen($reg[0]);


      if ($reg[1][0] == "/") $tag = strtolower(substr($reg[1],1));


      else $tag = strtolower($reg[1]);


      if ($a = $AllowableHTML[$tag])


         if ($reg[1][0] == "/") $tag = "</$tag>";


         elseif (($a == 1) || ($reg[2] == "")) $tag = "<$tag>";


         else {


           # Place here the double quote fix function.


           $attrb_list=delQuotes($reg[2]);


           // A VER


           $attrb_list = ereg_replace("&","&amp;",$attrb_list);


           $tag = "<$tag" . $attrb_list . ">";


         } # Attribs in tag allowed


      else $tag = "";


      $tmp .= substr($str,0,$i) . $tag;


      $str = substr($str,$i+$l);


   }


   $str = $tmp . $str;


   return $str;


   exit;


   /* Squash PHP tags unconditionally */


   $str = ereg_replace("<\?","",$str);


   return $str;


}

The problem is/was that the AllowableHTML array was always empty. This iarray is defined in the config.php file. After looking at some of my 7.5 installations I noted that version had the following statement in the check_html routine right after the function declaration:

Code:

    include("config.php");

Actually, the 7.5 version has that in a lot of the routines where as the 7.6 does not.

Anyways, adding that statement in correct the problem. Decided to dig a llittle further and try to understand how this was possible.

It appears that earlier in the mainfile.php, the config.php file was included and should have had scope to its variables. It is included in this statement that was modified during the Sentinel installation:

Code:




if (defined('FORUM_ADMIN')) {


    @require_once("../../../config.php");


    @require_once("../../../db/db.php");


    @require_once("../../../includes/ipban.php");


    @include_once("../../../includes/nukesentinel.php");


} elseif (defined('INSIDE_MOD')) {


    @require_once("../../config.php");


    @require_once("../../db/db.php");


    @require_once("../../includes/ipban.php");


    @include_once("../../includes/nukesentinel.php");


} else {


    @require_once("config.php");


    @require_once("db/db.php");


    @require_once("includes/ipban.php");


    @include_once("includes/nukesentinel.php");


}

which is somewhat near the top of mainfile.php

Shouldnt that include have worked for the config.php??

I am also a little confused by the location of the global $AllowableHTML statement right after the IF statement. With no braces, isnt just the next statement after the IF statement executed? Which is the global... Or is that ignored and its the next executable statement??

Good progamming practice to always use the {} with your code Rolling Eyes

So, any ideas on what's up or why my additional includes fixed the problem? If I didnt screw something up (which I am sure I did, shouldnt everyone have this issue?

Thanks...

Mr Papa

Posted: Wed Aug 10, 2005 4:52 am

well im not having any problems..
And the code changes sometimes,i dont know why..
maybe you should start a new topic about this ,specially focused to this issue.