Thread

I needed to make a clone of a site. I bought a new license, duplicated the database and files, cleaned out the cache, updated all the paths and db credentials I could find, changed the license to match the new one, and began making changes. Everything seemed to be working, at first.

But if I edit a template, global variable, or snippet and then save/update, all angle brackets are converted to named entities, as though htmlspecialchars() was called prior to writing to the database.

All ‘<’ and ‘>’ are changed in a snippet, so that this:
&lt;link rel=“stylesheet” href=”{stylesheet=global-embeds/global-styles}” media=“screen,projection” type=“text/css” /&gt; is output, breaking the entire page.

In a template, it is more subtle.

This code is from the top of a fairly long and complex template. All the brackets displayed are converted until the first DIV, which is left alone.

{embed='global-embeds/preamble'}
    {if meta-description}<meta name="description" content="{meta-description}" />{/if}
    {global-stylesheets}
<style type="text/css">
{exp:channel:entries channel="pages" url_title="{last_segment}"}
        #content h1 {
            background: url({if header-image == ''}
                {exp:categories category_group_id="4" {if segment_3 == ''} url_title="{segment_2}"{if:else} url_title="{segment_3}"{/if}} 
                {if category_image == ''}/images/01/awaiting-image.jpg{if:else}{category_image}{/if}{/exp:categories}{if:else}{header-image}{/if}) no-repeat 0 0;
        }
        {/exp:channel:entries}
        </style>
        </head>
<body id="company">
 {header}
     <div id="content" role="main">

What is going on?!

jwelker78,

Is the clone of your site on the same server?
If not does it meet all EE’s requirements

When you say duplicated the database do you mean you exported it and reimported it into the new blank database?

Same web server and same database server. Different directory, obviously, and a new database. I exported then imported into a new database, yes. I’m hosting these two sites with Media Temple.

Which flavor of MediaTemple? What about third party add-ons?

Media Temple GS… it’s pretty sluggish, actually.
PHP 5.2.14
MySQL 5.0.32

3rd party components:
MODULES
Freeform
MX Google Maps

FIELDTYPES
a few of the P&T Fieldtypes

PLUGINS
Category list
CrumbEE
ImageSizer
Last Segment
Low Replace
MX Google Maps

Hmmm.. I don’t have that problem in my MT GS installs. Does the same thing happen in new snippets?

Yes, unfortunately. And new templates. What possible causes could there be for this behavior, just generally speaking?

I’m not certain what is causing the problem. What I’d suggest is the following:

Make sure you have a recent database backup.

Delete your current database and files. Re-upload your EE2.1.3 build 20110411 files, and install using the Agile theme.

Once you do that, make sure you can add a snippet. If *that* works, then it could just be something in your other database.

At that point, make another database backup.

Then import the database from your original install… what happens then?

I’m reluctant to attempt that suggestion, primarily because whatever is happening must happen before data reaches the database. Here is another observation. When the text entered doesn’t contain template tags, the angle brackets are left alone. In a test snippet containing the following two lines, the first line will not be altered but the second will.

<span>this is a test</span>
<link rel="stylesheet" href="{stylesheets=global-embeds/global-styles}" type="text/css" />

Furthermore, after a lot of experimentation, it is pretty clear that content submitted via these forms is being run through a sanitizer of some sort which is selectively stripping html, mostly tags which belong in the document head. All of this will make it into the database without being munged:

{exp:channel:entries channel="pages" dynamic="no" entry_id="15" limit="1"}
<h2>{title}</h2>
<p>{body-text}<br />
{/exp:channel:entries}<br />
<a href="http://{stylesheets=global-embeds/global-styles}">view css</a><br />
<b>some text</b>

but all of these will be changed:

<style type=“text/css”>{exp:channel:entries channel="pages" url_title="{last_segment}”}
  #content h1 {
background: url({if header-image == ''}
      {exp:categories category_group_id="4" url_title="{segment_2}”}
        {if category_image == ''}/images/01/awaiting-image.jpg{if:else}{category_image}{/if}
      {/exp:categories}{if:else}{header-image}{/if}) no-repeat 0 0;
  }
{/exp:channel:entries}</style>

Why would any form in the control panel, other than posts, be subject to this sort of sanitization?

jwelker78, have you by any chance set

$config['global_xss_filtering'] = TRUE;

or

$config['csrf_protection'] = TRUE;

in system/expressionengine/config/config.php? Have you also disabled extensions?

Apparently I had enabled XSS filtering. In most CMS I’ve encountered, even ‘global’ filtering is not applied to forms for editing templates. It might be worth including in the comment something to the effect that “this will strip potentially malicious html from ALL FORMS, front end and back, including TEMPLATES, SNIPPETS, and GLOBAL VARIABLES” never mind that if a malicious user has access to those sections of your site, your already screwed.

Aha! Yes, we are not lying when we say

/*
 * --------------------------------------------------------------------
 *  END OF USER CONFIGURABLE SETTINGS.  DO NOT EDIT BELOW THIS LINE
 * --------------------------------------------------------------------
 */

😉 as the rest are essentially configuring CodeIgniter, which has no knowledge of what forms are used for what input in the higher-level EE layer. In any case, glad you found the culprit!