Save User's Web

***RateU*** · 07-12-2012 08:10 AM

Is there any reason why MyBB saves the user's web field using htmlspecialchars() inside the escape_string()?

Sorry for this noob question Biggrin

***ZiNgA BuRgA*** · 07-12-2012 08:37 PM

It's done twice in case one of them fails.
Oh, and the & character is evil - surely no website of concern has one of those buggers..

***RateU*** · 07-13-2012 03:59 AM

Some of my users use their profile page URL as their website. So the & character displayed as &amp; in the source page, and &uid=x in the front end (profile page) because MyBB uses the htmlspecialchars_uni() in the profile page (and postbit).

Sama34 · 07-13-2012 09:33 AM

Maybe you can "fix" it with template conditionals php shortcut code. But no sure what function to use and if it will be save to do it.

Or you can write a plugin to redirect from member.php?profile=X to member.php?action=profile&uid=X and tell your users to use that instead?

***ZiNgA BuRgA*** · 07-13-2012 08:11 PM

(07-13-2012 09:33 AM)Sama34 Wrote: Or you can write a plugin to redirect from member.php?profile=X to member.php?action=profile&uid=X and tell your users to use that instead?

No, the problem is that MyBB has a bug where it's double-escaping the user's website.

***RateU*** · 07-14-2012 04:28 AM

And again, personally (only my personal opinion), I think it is better to use a regex to verify the user's website field, like what XThreads does if we create a textbox and assign a Text Mask Filter (URI Generic, URL or URL (HTTP/S)) to the textbox?

Right now, I can see this in the user's website field:

Code:

http://This is my website. Ha ha ha ha!!!!!

But maybe it is because I'm not familiar with SEO URL.

Sama34 · 07-14-2012 05:02 AM

haha

Well, yes, it is a "bug, but unless you want to report it and they consider it worth fixing, you need to do something from your end.

You can write a plugin to check users websites before saving from the usercp. IMO, this field should be a profile field but that is no related to this, but we could use RateU's plugins to use regex.

***RateU*** · 07-14-2012 07:12 AM

I don't mind (personally) if the website field is in users table (although I prefer this as custom field). But I think it is a big bonus if MyBB adds more validation to it in the verify_website() function, and if it doesn't have any negative effect, do not htmlspecialchars() the value inside the escape_string() when saving to the db.

Because this is a default MyBB's field, maybe it is better if the above things is done by the default MyBB's userhandler.

But again, I don't know what a framework or a software should do to save a website/URL field.

***ZiNgA BuRgA*** · 07-14-2012 12:17 PM

In general, you shouldn't escape stuff in the DB - the DB should store raw unescaped data, which should be escaped when displayed to the user.
(exception if you wish to cache parsing)

Threaded Mode \| Linear Mode Standard Tools
Forum Jump: View a Printable Version Send this Thread to a Friend Subscribe to this thread