WeBid Bug Tracking

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000326WeBidTemplatespublic2011-09-02 23:572015-08-28 16:15
ReporterLunkwill 
Assigned Torenlok 
PrioritynoneSeverityminorReproducibilityhave not tried
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version1.0.3 
Target VersionFixed in Version1.2.0 
Summary0000326: HTML entities break forms
Descriptionhttp://www.webidsupport.com/forums/showthread.php?4134-Mitgliederconfirm-geht-nicht-mit-deutschem-Sprachfile. [^" title="]A thread in the German section">]A thread in the German section brought up the issue that the member confirmation form breaks with German umlauts if they are stored as Latin-1 or UTF-8 in [FONT="Courier New"]messages.inc.php[/FONT]. It does work if the messages file contains them as HTML entities but this causes other problems such as ugly-looking emails.



Line 55 in confirm.php demonstrates the problem (though I suppose it potentially occurs elsewhere as well):

[php]if (isset($_POST['action']) && $_POST['action'] == $MSG['249']) [/php]

The German confirm text is "Bestätigen", which during form rendering gets translated to "Bestätigen". The latter is posted back as the form's action which is obviously not equal to the original message.



I suppose this could be fixed by using a BUTTON instead of a SUBMIT tag in the template, i.e. instead of
<input type="submit" name="action" value="{L_249}" class="button">

<input type="submit" name="action" value="{L_250}" class="button">
use
<button type="submit" name="action" value="Confirm">{L_249}</button>

<button type="submit" name="action" value="Refuse">{L_250}</button>


That or compare with "htmlentities($MSG[...])", I'm not sure which would be better.
TagsNo tags attached.
import_id328
Thread
Attached Filespatch file icon entities-in-account-confirmation.patch [^] (1,808 bytes) 2015-04-01 17:10 [Show Content]

- Relationships
has duplicate 0000499closedrenlok HTML entities break forms 

-  Notes
(0000814)
Chrissio (reporter)
2011-09-04 13:07
edited on: 2011-09-04 13:14

I have found the Error, 2 Files in "confirm registry" are affected:

1.) /themes/default/confirm_account.tpl
2.) /confirm.php

1.) edit /themes/default/confirm_account.tpl and replace all with following code (changes are fat)

<div class="content">
    <div class="tableContent2">
        <div class="titTable2 rounded-top rounded-bottom">
            {L_248}
        </div>
        <div class="table2" style="text-align:center">
<!-- IF PAGE eq error -->
            <span class="errfont">{ERROR}</span>
<!-- ELSEIF PAGE eq confirm -->
            <form name="registration" action="{SITEURL}confirm.php" method="post">
                

{L_267}


                <input type="hidden" name="id" value="{USERID}">
                <input type="hidden" name="hash" value="{HASH}">
                <input type="hidden" name="csrftoken" value="{_CSRFTOKEN}">
                <input type="hidden" name="action" value="confirm">
                <input type="submit" name="act" value="{L_249}" class="button">
                
                <input type="submit" name="action" value="{L_250}" class="button">
            </form>
<!-- ELSEIF PAGE eq confirmed -->
            {L_330}
<!-- ELSEIF PAGE eq refused -->
            {L_331}
<!-- ENDIF -->
        </div>
    </div>
</div>
2.) edit /confirm.php - search ~ line 55 for


if (isset($_POST['action']) && $_POST['action'] == $MSG['249'])
and replace with



// Chrissio changed if (isset($_POST['action']) && $_POST['action'] == $MSG['249'])
if (isset($_POST['action']) && $_POST['action'] == 'confirm')

//

Now it will work. I think the similar solution can work in other affected files.
(0000831)
Lunkwill (reporter)
2011-09-04 18:56
edited on: 1970-01-01 00:00

<input type="hidden" name="action" value="confirm">    
<input type="submit" name="act" value="{L_249}" class="button">
<input type="submit" name="action" value="{L_250}" class="button">

Chrissio, the problem with this solution is that it will only work for confirmation, not for "refuse". I suppose if you press the Refuse button you get undefined behavior because there are two form elements with the same name, so $_POST['action'] may either be 'confirm' or 'Refuse'. Which could work in this case but would break again in any language that uses entities for the "Refuse" text.
(0000832)
Chrissio (reporter)
2011-09-04 19:07
edited on: 2011-09-04 19:13

English text below:

Dieselbe Frage stellte ich mir auch - aber in meiner testinstallation kann ich so bestätigen (und erhalte den entsprechenden Eintrag in der datenbank) oder ablehnen (was den datensatz komplett löscht). Bei mir funktioniert es - wäre interessant zu wissen ob das auch woanders funktioniert. Die übermittelte "action" ist ja bei jedem der beiden Buttons eine andere!

The same question I was asking myself - but in my test installation, I can confirm (and get the appropriate entry in the database) or reject (which deletes the data record complete). For me it works - would be interesting to know whether it works elsewhere. The transmitted "action" in the "Decline" button is another!
(0000833)
Lunkwill (reporter)
2011-09-04 19:33
edited on: 1970-01-01 00:00

Chrissio wrote

The same question I was asking myself - but in my test installation, I can confirm (and get the appropriate entry in the database) or reject (which deletes the data record complete). For me it works - would be interesting to know whether it works elsewhere. The transmitted "action" in the "Decline" button is another!

Yeah, as I said: it may work or it may not. Even if it works fine for you, another browser may just choose to send the "action" from the hidden field instead, it's not guaranteed. And even with your browser it will certainly break again in French (I'm not sure what their "refuse" text is but I'm just guessing it has some sore of accent :))
(0000837)
Chrissio (reporter)
2011-09-05 03:54
edited on: 2011-09-05 14:29

english text below...

Ja, das ist möglich. Aber schau mal ins Adminpanel, dort in die Datei adminpages.tpl - dort ist es auch so gelöst.

Allerdings fehlt dort der "Abbrechen"-Button.

Trotzdem wird beim Klicken des einen Buttons "act" und "confirm" sowie der Inhalt der hidden's übertragen, beim klicken des anderen Buttons "action" und "...deny?..." sowie der Inhalt der Hiddens.

Im php wird das Ganze auch getrennt verarbeitet: kommen die Userident-Strings zusammen mit confirm = User bestätigt, kommen die Userident-Strings zusammen mit deny? = User aus db gelöscht. Getestet mit firefox und IE?

deny? ist nur ein Platzhalter... und ich muss nun was für meinen Brötchengeber tun. Zum Glück treffe ich da gleich mehrere Leute, die sich mit sowas richtig auskennen, und kann Fragen stellen...

Yes, that's possible. But look into the admin panel, there in the file adminpages.tpl - there it is solved exactly.

 But there is no "Cancel" button.

 Nevertheless, when you click on the Confirm-button, "act" and "confirm" and the contents of the hidden 's is transferred, if you clicking the deny- button "action" and "... deny ?..." and the contents of the hidden is transferred.

 In php is also processed separately: the user ID strings come together with confirm = user confirms; the user ID strings come together with deny? = delete user from db. tested with firefox and internetExplorer.

 deny? is just a placeholder ... and now I must do something for my employer. Luckily, I met several people who know something about (informaticians, software engineers), and can ask this professionals something about...
(0000838)
Lunkwill (reporter)
2011-09-05 14:52
edited on: 1970-01-01 00:00

Sure, with only one button that would be fine. The problem with the second one is that if you click it, you have two values called "action". While you can have that in a POST request (so the browser would presumably have to put both into the POST, instead of throwing one away as I wrote above), you can't have it in the associative array that is $_POST. So depending on the order in which the fields appear and the direction in which PHP parses them you'll get one or the other.
Of course you could use the PHP square brackets hack and call the field "action[]" so you'd get both, but apart from making the check even more obscure (action is always "confirm", even when it's actually meant to be "refuse", and we detect "refuse" by having more than one element in $POST['action']---blech!) you'd have to be careful not to run into the same problem as before if there are entities in the "refuse" string.
(0000839)
Chrissio (reporter)
2011-09-05 19:48
edited on: 2011-09-05 19:51

I share your thoughts and have checked all again with english language, with german, with french and spain:

My solution works with ie and Firefox.

 of course it would be better, it would take for the confirmation functions (regardless of whether I want to confirm with acknowledge or no acknowledge) do not have access to the Language files.

But in this script we make use from language file and cannot change without many work and stress. Please take a look into confirm.php, there are 2 functions programmed - 1 for confirm, and 1 for deny (and delete from Database):



// user will be registered

// Old Code: if (isset($_POST['action']) && $_POST['action'] == $MSG['249'])

if (isset($_POST['action']) && $_POST['action'] == 'confirm')


{
    $query = "SELECT nick FROM " . $DBPrefix . "users WHERE id = " . intval($_POST['id']);
    $res = mysql_query($query);
    $system->check_mysql($res, $query, __LINE__, __FILE__);
    if (md5(mysql_result($res, 0, 'nick')) == $_POST['hash'])
    {
        [COLOR=darkorange]// User wants to confirm his/her registration

        $query = "UPDATE " . $DBPrefix . "users SET suspended = 0 WHERE id = " . intval($_POST['id']) . " AND suspended = 8";
        $res = mysql_query($query);
        $system->check_mysql($res, $query, __LINE__, __FILE__);

        $query = "UPDATE " . $DBPrefix . "counters SET users = users + 1, inactiveusers = inactiveusers - 1";
        $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);

        // login user
        $query = "SELECT id, hash, password FROM " . $DBPrefix . "users WHERE id = " . intval($_POST['id']);
        $res = mysql_query($query);
        $system->check_mysql($res, $query, __LINE__, __FILE__);
        if (mysql_num_rows($res) > 0)
        {
            $password = mysql_result($res, 0, 'password');
            $_SESSION['WEBID_LOGGED_IN'] = mysql_result($res, 0, 'id');
            $_SESSION['WEBID_LOGGED_NUMBER'] = strspn($password, mysql_result($res, 0, 'hash'));
            $_SESSION['WEBID_LOGGED_PASS'] = $password;
            // Update "last login" fields in users table
            $query = "UPDATE " . $DBPrefix . "users SET lastlogin = '" . gmdate("Y-m-d H:i:s") . "' WHERE id = " . $_SESSION['WEBID_LOGGED_IN'];
            $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);

            $query = "SELECT id FROM " . $DBPrefix . "usersips WHERE USER = " . $_SESSION['WEBID_LOGGED_IN'] . " AND ip = '" . $_SERVER['REMOTE_ADDR'] . "'";
            $res = mysql_query($query);
            $system->check_mysql($res, $query, __LINE__, __FILE__);
            if (mysql_num_rows($res) == 0)
            {
                $query = "INSERT INTO " . $DBPrefix . "usersips VALUES
                        (NULL, '" . $_SESSION['WEBID_LOGGED_IN'] . "', '" . $_SERVER['REMOTE_ADDR'] . "', 'after', 'accept')";
                $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
            }
        }

        $page = 'confirmed';
    }
    else
    {
        $errmsg = $ERR_033;
        $page = 'error';
    }
}[/COLOR]

// Benutzer mag nicht registrieren

if (isset($_POST['action']) && $_POST['action'] == $MSG['250'])
{
    $query = "SELECT nick FROM " . $DBPrefix . "users WHERE id = " . intval($_POST['id']);
    $res = mysql_query($query);
    $system->check_mysql($res, $query, __LINE__, __FILE__);
    if (md5(mysql_result($res, 0, 'nick')) == $_POST['hash'])
    {
        [COLOR=darkorange]// User doesn't want to confirm hid/her registration

        $query = "DELETE FROM " . $DBPrefix . "users WHERE id = " . intval($_POST['id']) . " AND suspended = 8";
        $res = mysql_query($query);
        $system->check_mysql($res, $query, __LINE__, __FILE__);

        $query = "UPDATE " . $DBPrefix . "counters SET inactiveusers = inactiveusers - 1";
        $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
        $page = 'refused';
    }
    else
    {
        $errmsg = $ERR_033;
        $page = 'error';
    }
}
[/COLOR]
I dont know why, but i have tested with many languages, an it runs. Now i install the russian translation and test it again. It is possible, this solution is not "the yellow from the egg" - but it is in function and runs without problems.

Next Days i have a date with a software engeneer - possible he has a better solution for this problem. But if we have no better solution, why shall we dont use it?

Please - test it on another installation for its function
(0000840)
Lunkwill (reporter)
2011-09-05 23:19
edited on: 1970-01-01 00:00

I don't get why we should use a hack that relies on undocumented stuff on how PHP parses POST data but may or may not stop working with the next PHP version or language file (the comparison to $MSG['250'] is still there and will blow up if anything changes between the internal string and the rendered HTML) when we can have a clean solution using the BUTTON element.
(0000841)
Chrissio (reporter)
2011-09-06 05:02
edited on: 1970-01-01 00:00

Ok - tell us another solution for the problem without changing the "...&Xuml;..." phrase in language file and without changes in Code of confirm.php, and all can use it.

In german:

Laut erster Einschätzung unseres Dipl.Informatikers ist es eine sehr schlechte Idee, die Phrasen eines language-files zur Ausführung einer Button-Funktion mit heranzuziehen, da fehlerproduzierend. Aber eine andere Lösung konnte er ohne genaue Prüfung noch nicht aus dem Ärmel schütteln. In jedem Falle müsse dann aber der Code der Button-Funktion geändert werden, wenn man auf zusätzliche (java-?)Scripte verzichten will.

Eigentlich wäre es Aufgabe von renlok, mal hier reinzusehen und was dazu zu schreiben; offensichtlich hat er sich damit noch nicht beschäftigt, oder er hat keine andere Lösung im Ärmel;
(0000842)
Lunkwill (reporter)
2011-09-06 18:05
edited on: 1970-01-01 00:00

It doesn't work without changing confirm.php, not even the hack with the extra hidden field does. I'll just upload a patch.
(0000843)
Lunkwill (reporter)
2011-09-06 18:12
edited on: 1970-01-01 00:00

Just had a quick look for further localized submit buttons, and there's a whole bunch of candidates.
If I find the time in the afternoon I'll have a look at a couple of them:
themes/default/pay.tpl:        <input name="submit" type="submit" value="{L_756}" border="0">
themes/default/pay.tpl: <input name="submit" type="submit" value="{L_756}" border="0">
themes/default/pay.tpl: <input name="submit" type="submit" value="{L_756}" border="0">
themes/default/pay.tpl: <input name="submit" type="submit" value="{L_756}" border="0">
themes/default/pay.tpl: <input name="submit" type="submit" value="{L_756}" border="0">
themes/default/item.tpl: <input type="submit" name="" value="{L_30_0208}" class="button">
themes/default/upldgallery.tpl: <input type="submit" class="button" name="upload_thumbnail" value="{L_616}" id="save_thumb"><input type="submit" class="button" name="upload_thumbnail" value="{L_618}" >
themes/default/upldgallery.tpl: <input type="submit" name="uploadpicture" value="{L_681}">
themes/default/upldgallery.tpl: <input type="submit" name="creategallery" value="{L_683}">
themes/default/yourauctions.tpl: <input type="submit" name="Submit" value="{L_631}" class="button">
themes/default/buying.tpl: <input type="submit" name="Pay" value="{L_756}" class="pay">
themes/default/home.tpl: <p align="center"><input type="submit" name="action" value="{L_275}" class="button">


themes/default/sell.tpl: <input type="submit" name="" value="{L_661}" class="button">   <input type="reset" name="" value="{L_5190}" class="button">
themes/default/sell.tpl: <input type="submit" name="" value="{L_5189}" class="button">   <input type="reset" name="" value="{L_5190}" class="button">
themes/default/sell.tpl: <input type="submit" name="" value="{L_5189}" class="button">
themes/default/sell.tpl: <input type="submit" name="" value="{L_2__0037}" class="button">
themes/default/global_header.tpl: <input type="submit" name="sub" value="{L_399}" class="button">
themes/default/feedback.tpl: <input type="submit" name="" value="{L_207}" class="button">
themes/default/user_menu.tpl:

<input type="submit" name="requesttoadmin" value="{L_25_0141}" class="button">


themes/default/auction_watch.tpl: <input type="submit" value="{L_5204}" class="button">
themes/default/yourauctions_c.tpl: <input type="submit" name="Submit" value="{L_631}" class="button">
themes/default/forgotpasswd.tpl: <input type="submit" name="" value="{L_5431}" class="button">
themes/default/sellermails.tpl: <input type="submit" name="Submit" value="{L_2_0015}" class="button">
themes/default/bid.tpl: <input type="submit" name="Input" value="{L_5199}" class="button">
themes/default/select_category.tpl: <input type="submit" name="submitit" value="{L_2__0047}" class="button">
themes/default/select_category.tpl: <input type="submit" name="submitit" value="{L_805}" class="button">
themes/default/mail.tpl: <input type="submit" name="submit" value="{L_008}" OnClick="if ( !confirm('{L_2__0031}') ) { return false; }">
themes/default/converter.tpl: <input type="button" name="convert" id="convert" value="{L_25_0176}">
themes/default/register.tpl: <input type="submit" name="" value="{L_235}" class="button">
themes/default/register.tpl: <input type="reset" name="" value="{L_035}" class="button">
themes/default/friend.tpl: <input type="submit" name="" value="{L_5201}" class="button">
themes/default/friend.tpl: <input type="reset" name="" value="{L_035}" class="button">
themes/default/browsecats.tpl: <td>{L_30_0070} <input type="text" name="catkeyword" size="20"> <input type="submit" name="" value="{L_103}" class="button">
themes/default/buy_now.tpl: <input type="submit" name="" value="{L_496}" class="button">
themes/default/buy_now.tpl: <input type="submit" name="Pay" value="{L_756}" class="pay">
themes/default/outstanding.tpl: <input type="submit" name="Pay" value="{L_756}" class="pay">
themes/default/advanced_search.tpl: <input type="submit" name="go" value="{L_5029}" class="button">
themes/default/yourauctions_p.tpl: <input type="submit" name="Submit" value="{L_631}" class="button">
themes/default/edit_details.tpl: <input type="submit" name="Input" value="{L_530}" class="button">
themes/default/msgboard.tpl: <input type="submit" name="Submit" value="{L_5057}" class="button">
themes/default/send_email.tpl: <INPUT TYPE="hidden" NAME="action" VALUE="{L_106}"> <INPUT TYPE=submit NAME="" VALUE="{L_5201}" class=button />
themes/default/send_email.tpl: <INPUT TYPE=reset NAME="" VALUE="{L_035}" class=button>

</TD>
themes/default/yourauctions_s.tpl: <input type="submit" name="Submit" value="{L_631}" class="button">


- Issue History
Date Modified Username Field Change
2015-04-01 13:17 renlok New Issue
2015-04-01 13:17 renlok import_id => 328
2015-04-01 13:17 renlok Date Submitted 2015-04-01 13:17 => 2011-09-02 23:57
2015-04-01 13:17 renlok Last Update 2015-04-01 13:17 => 2011-09-06 18:12
2015-06-27 15:29 anirudh010 Issue cloned: 0000499
2015-07-01 21:26 renlok Relationship added has duplicate 0000499
2015-08-28 16:15 renlok Status new => resolved
2015-08-28 16:15 renlok Fixed in Version => 1.2.0
2015-08-28 16:15 renlok Resolution open => fixed
2015-08-28 16:15 renlok Assigned To => renlok


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker