Related Topics


[Video CMS v4]Inclusion of <br /> tags in scripts  (Read 1034 times) Print

1 B


Hersh  December 18, 2014, 08:25:56 AM

I'm having issues with PHPVibe adding line break tags to Google Analytics and Adsense codes. It doesn't look like the line breaks are being inserted into the db though. It's just adding line breaks to the script when it renders it on the page.

Example Ad Sense:

Code
<div class="static-ad"><script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><br />
<!-- Responsive Ad Unit --><br />
<ins class="adsbygoogle"<br />
     style="display:block"<br />
     data-ad-client="ca-pub-*************"<br />
     data-ad-slot="********"<br />
     data-ad-format="auto"></ins><br />
<script><br />
(adsbygoogle = window.adsbygoogle || []).push({});<br />
</script>


Google Analytics:

Code
<script>(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){<br />
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),<br />
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)<br />
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');<br />
<br />
ga('create', 'UA-******-1', 'auto');<br />
ga('send', 'pageview');</script>

Logged


Hersh  December 18, 2014, 09:54:45 AM

Ok, I figured it out. This is the cause:

Code
function _html($txt){
return nl2br(stripslashes(html_entity_decode($txt, ENT_QUOTES, 'UTF-8')));
}

Logged


@Mario  December 18, 2014, 02:36:07 PM

See this:

Ok, here is a brief update:

lib/functions.html.php

Find:

Code
//This light function strips everything...no questions asked
//...except for some few safe html tags


Replace the function under this comment with :



Code

function antixss_light($text) {
$text = preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $text );
$text  = strip_tags($text);
//Remove external scripts
$search = array(
    '@<script[^>]*?>.*?</script>@si',   // Strip out javascript
    '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
    '@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
  );
$tx_output = preg_replace($search, '', $text);
//Deep remove the rest
$injections = array('<script','iframe','<object','applet','<embed','onblur',');>','onchange','onclick','ondblclick','onfocus','onkeydown','onkeypress','onkeyup','onload','onmousedown','onmousemove','onmouseout','onmouseover','onmouseup','onreset','onselect','onsubmit','onunload', '<src','<img src','onerror','prompt(','alert(', 'document.body.innerHTML', 'document.body', 'document.title','<!--','innerHTML');
$output  = str_replace($injections, '', $tx_output);
return $output;
}


Logged
Hello!
If you wish to learn how to start coding on the PHPVibe Video CMS head to the blog.

Please use the search before opening a new topic!


Hersh  December 18, 2014, 06:14:52 PM

Yeah, the anti XSS code, I have seen that. I updated it the other day. I thought maybe it might have caused the issue but it appears this modification I made (per your suggestion) is what actually caused the problem:

Code
function _html($txt){
return nl2br(stripslashes(html_entity_decode($txt, ENT_QUOTES, 'UTF-8')));
}

I switched it back to the original:
Code
function _html($txt){
return stripslashes(html_entity_decode($txt, ENT_QUOTES));
}

The anti XSS function doesn't appear to have anything to do with it.

Logged


@Mario  December 18, 2014, 09:30:52 PM

I think the ads system needs a different output function than _html.
This is something at the moment I was unaware off, so thanks!

Logged
Hello!
If you wish to learn how to start coding on the PHPVibe Video CMS head to the blog.

Please use the search before opening a new topic!


Hersh  December 19, 2014, 12:49:21 AM

^^Anytime. Don't forget Analytics codes as well!

Logged