On 10/23/13 5:18 AM, Michal Čihař wrote:
Hi
Dne Wed, 23 Oct 2013 09:28:12 +0200 Piotr Przybylski piotr.prz@gmail.com napsal(a):
2013/10/23 Michal Čihař michal@cihar.com
Hi
Dne Tue, 22 Oct 2013 20:48:14 -0400 Isaac Bennetch bennetch@gmail.com napsal(a):
In the user description field of the error reporting server, new lines are represented as \n rather than <br> or some other HTML-friendly means. This is easy to fix, however I'm not sure where best to fix it.
Do we convert the raw input before submission (line 58 of libraries/error_report.lib.php or on display (line 88 of app/View/Incidents/view.ctp)? I think it's best to do it on submission, but wanted to double-check first.
Doing this on submission time would bring HTML into the server and we would have to do some sanity checking on it while displaying...
I don't think users should be allowed to any HTML in bug reports. It will be much simpler then:
I agree to that. I just wanted to mention that in case we would do processing on the client side, it would make it harder later.
- Unescape all escape sequences before storing them on our server, eg. \n
-> newline
I haven't checked the code, but I doubt user has entered \n, I think there is rather some escaping done which converted newlines into \n.
- Use nl2br before displaying, or wrap text with HTML block element with: white-space: -moz-pre-wrap; /* Firefox */ white-space: -o-pre-wrap; /* Opera */ white-space: pre-wrap; /* Chrome; W3C standard */ word-wrap: break-word; /* IE */
It may require some tweaking, but it's doable in CSS.
Using nl2br is probably easier.
Thanks everyone for the comments. I wasn't able to test my patch, but it should be fixed by pull request at https://github.com/phpmyadmin/error-reporting-server/pull/21