AB&CD;Above, I entered AB then an ampersand then CD.
However, in my EE site it seems to add a trailing semicolon and removing the trailing line break. So, if it does that here too—is there a way to stop that?
Can you please enter your original input in between [ code ] input [/ code ] tags (Get rid of the spaces in the tags)? Also, what version and build are you running?
Can you please enter your original input in between [ code ] input [/ code ] tags (Get rid of the spaces in the tags)? Also, what version and build are you running?
Sure, in CODE:
AB&CD;And then a return
And the exact same text, entered in the post:
AB&CD;And then a return
EDIT: it misformats within the CODE block too, just type AB then an ampersand then CD then a return and then some text—you’ll wind up with something different—same happens in this forum.
Unfortunately turnstyle, this is unavoidable. What you see is a security feature of EE. In HTML, special characters follow the pattern of &code; (ampersand-code-semicolon). Special characters without the semicolon are said to be “malformed”. In some browsers, if you leave off the semicolon you can inject malicious code (ie: hack) and so EE looks for special characters without the semicolon and adds it itself. So in your case, “&CD” is triggering this.
EE is not able to tell that the text is harmless and intended, as we err on the side of caution. One way around this is to use spaces, or to code out the full special character for an ampersand, with is &
There are no known exploits for single character malformed entities, so we allow those. We try to be as unreactive as possible
Do you happen to know of any references that shows how a malformed entity exploit might work? The idea is that a malformed HTML entity can force execution of Javascript?
There’s been much discussion of this on the net in general, and even on these forums. I’d prefer to keep the discussion focused on helping you come to a resolution. Are you able to use one of the recommended workarounds on your site?
There’s been much discussion of this on the net in general, and even on these forums. I’d prefer to keep the discussion focused on helping you come to a resolution. Are you able to use one of the recommended workarounds on your site?
I understand that if I were to change the text, then EE won’t reformat it—in this case, my users are entering text that is getting reformatted—and they then brought it to my attention—so I was hoping to find a way to change the behavior.
Can you perhaps indicate whether this behavior is in response to the PHP vulnerability referenced above? My Googling for ‘html entity exploit’ and ‘html entity vulnerability’ mostly pointed me to that.
One little note: if it *only* added the semicolon, that would be considerably better—as, right now, it also removes any trailing whitespace (spaces or link breaks).
For example, if I want to write rock&roll;EE will then add the semi after ‘roll’ and ALSO eliminate the space before EE—so my sentence looks sloppy—ie, it would be nicer if it just added the semi, and left the whitespace intact—is that perhaps a reasonable tweak?
The vulnerabilities we are protecting against are client side, xss based attacks, not server side, so there is no way to affect changes at the server level. Here are two threads that may help out.
That said let’s see if we can work out a way to both protect your site and its users, and help them do data entry easily. Would a custom html button that output “&” do the trick? What about an educational campaign? Is it only 1 common phrase that’s getting caught?
I think, given the circumstance, it would be enough if EE left the trailing whitespace—or just treated such whitespace at it would treat any other whitespace.
Meaning, if I type &blah;and then a return (I entered a return after the blah)—I should then wind up with:
