On 10/23/13 5:18 AM, Michal Čihař wrote:
Hi
Dne Wed, 23 Oct 2013 09:28:12 +0200 Piotr Przybylski <piotr.prz@gmail.com> napsal(a):
2013/10/23 Michal Čihař <michal@cihar.com>
Hi
Dne Tue, 22 Oct 2013 20:48:14 -0400 Isaac Bennetch <bennetch@gmail.com> napsal(a):
In the user description field of the error reporting server, new lines are represented as \n rather than <br> or some other HTML-friendly means. This is easy to fix, however I'm not sure where best to fix it.
Do we convert the raw input before submission (line 58 of libraries/error_report.lib.php or on display (line 88 of app/View/Incidents/view.ctp)? I think it's best to do it on submission, but wanted to double-check first.
Doing this on submission time would bring HTML into the server and we would have to do some sanity checking on it while displaying...
I don't think users should be allowed to any HTML in bug reports. It will be much simpler then:
I agree to that. I just wanted to mention that in case we would do processing on the client side, it would make it harder later.
1. Unescape all escape sequences before storing them on our server, eg. \n -> newline
I haven't checked the code, but I doubt user has entered \n, I think there is rather some escaping done which converted newlines into \n.
2. Use nl2br before displaying, or wrap text with HTML block element with: white-space: -moz-pre-wrap; /* Firefox */ white-space: -o-pre-wrap; /* Opera */ white-space: pre-wrap; /* Chrome; W3C standard */ word-wrap: break-word; /* IE */ It may require some tweaking, but it's doable in CSS.
Using nl2br is probably easier.
Thanks everyone for the comments. I wasn't able to test my patch, but it should be fixed by pull request at https://github.com/phpmyadmin/error-reporting-server/pull/21