Problem getting HTML from the post

[rgjoyce]

Everything I try strips all the html code from the post array.

$jinput = JFactory::getApplication()->

input;
$text = $jinput->post->get('question_wording',null,'HTML');

results in an empty output.

I would have expected this to allow HTML in the response, but it calls the clean function which calls _remove and it actually seems to strip all my html.

Please, how can I get the HTML that the user has entered in the wysiwyg editor????
Changing HTML to raw also has the same result. it strips all the html code.

[r...@osdcs.com]

$_POST or $_GET? Are you serious. How secure is that....


-----Original Message-----
From: joomla-de...@googlegroups.com
[mailto:joomla-de...@googlegroups.com] On Behalf Of Viper
Sent: Tuesday, March 19, 2013 9:46 PM
To: joomla-de...@googlegroups.com
Subject: [jgen] Re: Problem getting HTML from the post

Just use $_POST['question_wording'] OR $_GET instead of JInput.
Or you can try to embed JFilterInput parameters for HTML input.

--
You received this message because you are subscribed to the Google Groups
"Joomla! General Development" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to joomla-dev-gene...@googlegroups.com.
To post to this group, send an email to joomla-de...@googlegroups.com.
Visit this group at
http://groups.google.com/group/joomla-dev-general?hl=en-GB.
For more options, visit https://groups.google.com/groups/opt_out.

[Chris Davenport]

No!  Never use $_POST or $_GET directly.  You must always filter user input.

See: http://docs.joomla.org/Secure_coding_guidelines

Needs updating for JInput, but should be basically the same.

Chris.

On 19 March 2013 14:46, Viper <goodla...@gmail.com> wrote:

On Tuesday, March 19, 2013 3:43:20 PM UTC+2, rgjoyce wrote:

Just use $_POST['question_wording'] OR $_GET instead of JInput.
Or you can try to embed JFilterInput parameters for HTML input.

--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.
To post to this group, send an email to joomla-de...@googlegroups.com.
Visit this group at http://groups.google.com/group/joomla-dev-general?hl=en-GB.
For more options, visit https://groups.google.com/groups/opt_out.

--
Chris Davenport
Joomla Production Leadership Team

[r...@osdcs.com]

The problem is this.

in $_POST I can see my info:

Array
(
    [option] => com_comp
    [controller] => questions
    [task] => saveQuestions
    [question_type_id] => 17
    [question_id] => 79
    [answer_id] => 79
    [totalQuestionsInLesson] => 3
    [insert_into_no] => 
    [question_name] => sdsdsds
    [question_wording] => <object width=\"425\" height=\"350\">
<param name=\"movie\" value=\"http://www.youtube.com/v/tIBxavsiHzM\" />
<embed src=\"http://www.youtube.com/v/tIBxavsiHzM\"
  type=\"application/x-shockwave-flash\" width=\"425\" height=\"350\" />
</object>
    [gen_feedback] => 
    [submit] => Save
)

I'm trying to get the html code in the question_wording value.

JRequest::getString( 'question_wording', '', 'post', JREQUEST_ALLOWHTML ); Doesn't work

$input = new JInput;
$data = $input->post;
$text = $input->get('question_wording','','raw');  Doesn't work

I've tried every variation that I can think of.

The value always comes out empty, stripped of html. I actually opened the input.php class file and went through all the filter variations. they ALL stripped out my html.

The reason for wanting to do it using JInput is that as far as I can see JRequest is being deprecated and I don't want to have to redo my component code again in 3.5

---

From: joomla-de...@googlegroups.com [mailto:joomla-de...@googlegroups.com] On Behalf Of Chris Davenport
Sent: Tuesday, March 19, 2013 11:05 PM
To: joomla-de...@googlegroups.com
Subject: Re: [jgen] Re: Problem getting HTML from the post

[Adam Rifat]

If you are using JForm try something like this:

    $app = JFactory::getApplication();

    $data = $app->input->post->get('jform', array(), 'array');

HTH

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-general+unsub...@googlegroups.com.

To post to this group, send an email to joomla-de...@googlegroups.com.
Visit this group at http://groups.google.com/group/joomla-dev-general?hl=en-GB.
For more options, visit https://groups.google.com/groups/opt_out.

--
Chris Davenport
Joomla Production Leadership Team

--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-general+unsub...@googlegroups.com.

[Adam Rifat]

Or if you are using JForm which filter are you using on the form field?

-- Tags for the Default Black List include: 'applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml'

So unless you whitelist the tag you want or change the filter on the form field I guess it will get stripped.

Does that make sense?

[Rob Joyce]

This is horrible.

What is missing?

Has something been dropped from joomla to stop html code?

I am logged in as the su admin user and filtering is set to no filter.

 

$app = JFactory::getApplication();
$data = $app->input->post->get('question_wording', array(), 'array');
print_r($data[0]);

This is the ONLY code that will get my html code from the posted info.

 

Where are we going wrong?

 

I tried ALL of these variations from the class file, Only array worked.  I would have expected HTML to have worked.

//        print_r($input->post->get('question_wording',null,'html')); echo '<p>';
//        print_r($input->post->get('question_wording',null,'int')); echo '<p>';
//        print_r($input->post->get('question_wording',null,'integer')); echo '<p>';
//        print_r($input->post->get('question_wording',null,'uint')); echo '<p>';
//        print_r($input->post->get('question_wording',null,'float')); echo '<p>';
//        print_r($input->post->get('question_wording',null,'double')); echo '<p>';
//        print_r($input->post->get('question_wording',null,'bool')); echo '<p>';
//        print_r($input->post->get('question_wording',null,'boolean')); echo '<p>';
//        print_r($input->post->get('question_wording',null,'word')); echo '<p>';
//        print_r($input->post->get('question_wording',null,'alnum')); echo '<p>';
//        print_r($input->post->get('question_wording',null,'cmd')); echo '<p>';
//        print_r($input->post->get('question_wording',null,'base64')); echo '<p>';
//        print_r($input->post->get('question_wording',null,'string')); echo '<p>';
//        print_r($input->post->get('question_wording',null,'array')[0]); echo '<p>';
//        print_r($input->post->get('question_wording',null,'path')); echo '<p>';
//        print_r($input->post->get('question_wording',null,'username')); echo '<p>';
//        print_r($input->post->get('question_wording',null,null)); echo '<p>';

I also note at the top of the /libraries/joomla/input/input.php file the following comments:

 * @method      integer  getInt()       getInt($name, $default = null)    Get a signed integer.
 * @method      integer  getUint()      getUint($name, $default = null)   Get an unsigned integer.
 * @method      float    getFloat()     getFloat($name, $default = null)  Get a floating-point number.
 * @method      boolean  getBool()      getBool($name, $default = null)   Get a boolean.
 * @method      string   getWord()      getWord($name, $default = null)
 * @method      string   getAlnum()     getAlnum($name, $default = null)
 * @method      string   getCmd()       getCmd($name, $default = null)
 * @method      string   getBase64()    getBase64($name, $default = null)
 * @method      string   getString()    getString($name, $default = null)
 * @method      string   getHtml()      getHtml($name, $default = null)
 * @method      string   getPath()      getPath($name, $default = null)
 * @method      string   getUsername()  getUsername($name, $default = null)

I don't see a getHtml function defined ANYWHERE in the whole of the joomla system, So why would this text be here?

 

Yours Sincerely

Rob Joyce

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.

[Manoj Londhe]

I am not using JForm....I am facing similar problem ... 

[Joseph Cardwell]

So the reason this isn't working is because at some point JFilterInput  was set up to make WHITELIST the default filter for html tags and attributes. So unless your tags are in the whitelist for the user submitting the html, then they will be stripped. 

The code for JFilterInput::getInstance():

/**
* Returns an input filter object, only creating it if it doesn't already exist.
*
* @param array $tagsArray List of user-defined tags
* @param array $attrArray List of user-defined attributes
* @param integer $tagsMethod WhiteList method = 0, BlackList method = 1
* @param integer $attrMethod WhiteList method = 0, BlackList method = 1
* @param integer $xssAuto Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1
*
* @return JFilterInput The JFilterInput object.
*
* @since 11.1
*/
public static function &getInstance($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1){}

The way around this? Create your  own instance of JFilterInput so that you can manage the settings it is created with.

$jInputFilter = JFilterInput::getInstance(null,null,1,1,0);

$unclean_html = JFactory::$application->input->get('yourtextfield',null,"RAW")
$clean_html = $jInputFilter->clean($unclean_html,'html');

I get the objective behind making whitelist the default, but I still disagree. The small set of tags left after blacklist is removed doesn't seem to pose much of a threat, so why not leave that as the default filter? Ugh..

Anyway, hope this helps.