Text only | Text with Images

Simple Machines Community Forum

Customizing SMF => SMF Coding Discussion => Topic started by: Sir Osis of Liver on August 14, 2014, 12:08:04 AM

Title: Apostrophe saved to database as '
Post by: Sir Osis of Liver on August 14, 2014, 12:08:04 AM
An annoying little problem.  When saving an image title to db, apostrophes (single quotes) are saved as ', i.e., Krash's beer.jpg.  It displays correctly when retrieved from db, but email notifications containing the title show the ' instead of the apostrophe.  Any way to fix this?
Title: Re: Apostrophe saved to database as '
Post by: Illori on August 14, 2014, 05:44:43 AM
which email notifications?
Title: Re: Apostrophe saved to database as '
Post by: Sir Osis of Liver on August 14, 2014, 05:24:11 PM
It's a gallery mod, I added a comment notification using php mail().  When title string is saved to database, apostrophes are replaced with ', and that's how they appear in the email.  Fixed it with str_replace, but am curious why it is saved that way.
Title: Re: Apostrophe saved to database as '
Post by: Arantor on August 14, 2014, 05:34:21 PM
The standard practice in SMF is to htmlspecialchars everything with the ENT_QUOTES option to neuter any chance of persistent XSS attacks. It's absolutely deliberate that everything in SMF is saved that way. I really hope you did it before the email was sent rather than mashing it up as it goes into the database because it's much better practice to make sure what you have in the database is safe and can be safely displayed under all circumstances and deprotected only when necessary.
Title: Re: Apostrophe saved to database as '
Post by: butchs on August 14, 2014, 08:16:15 PM
Please stop using that offending neuter word.  :(
Title: Re: Apostrophe saved to database as '
Post by: Kindred on August 14, 2014, 09:36:27 PM
What offending neuter word? That is the correct term for the action...
Title: Re: Apostrophe saved to database as '
Post by: Arantor on August 15, 2014, 01:07:15 PM
He's trying to be funny pretending to be a cat.
Title: Re: Apostrophe saved to database as '
Post by: Sir Osis of Liver on August 15, 2014, 01:48:19 PM
I thought it was security related.  Didn't change db values, fixed it before sending email.  Will see if I can figure out which other characters are affected.
Title: Re: Apostrophe saved to database as '
Post by: Arantor on August 15, 2014, 01:50:50 PM
htmlspecialchars with ENT_QUOTES affects <, >, &, ' and " and replaces them with lt, gt, amp, 039 numeric form and quot entities respectively.

You will also notice the interesting behaviour that at Illori's reply, the entity was parsed as an entity rather than not. Love me some interesting behaviour.
Title: Re: Apostrophe saved to database as '
Post by: Sir Osis of Liver on August 15, 2014, 02:13:17 PM
If you copy the text of my reply to Illori into post editor and preview, the 'Subject' field and preview title bar display the apostrophe, but the post text displays the ascii code. The title bar of this thread also displays the code.

(https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fwww.thekrashsite.com%2Fpics%2Fidk.gif&hash=9ac7acf13f4cfaa1b58390444a38dea11e5473d2)
Text only | Text with Images