Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 10 Nov 2010, 00:43
abualjori abualjori is offline
 
Join Date: Feb 2010
input TYPE_STR , is it safe enough in this case ?

Hey !


I made a custom profile field , and datamanger was part of the process.


so , here is what I did.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

then I used datamangers to set the info


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.



This mod uses bbcode so I need double quotes here,(I missed up every thing when I used TYPE_NOHTML)


does this looks safe enough to be used in my live forums ? and do I have to escape strings etc , or datamanger would take care of it.



Thank you.
Reply With Quote
  #2  
Old 10 Nov 2010, 11:33
sheppardzwc sheppardzwc is offline
 
Join Date: Dec 2008
Location: South Carolina
Real name: Zach
The vBulletin input cleaner will escape anything that would normally be harmful to the boards. So yes, that would work fine.
Reply With Quote
  #3  
Old 10 Nov 2010, 12:43
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
It looks to me like clean_gpc with TYPE_STR just trims blanks off the ends and removes null characters. So if you don't want to allow html in that field you may need to do something else.

I guess you could try entering some html and see what happens.
Reply With Quote
  #4  
Old 10 Nov 2010, 13:47
vbenhancer's Avatar
vbenhancer vbenhancer is offline
 
Join Date: Dec 2009
Real name: nexia
TYPE_NOHTML will do your job...
Reply With Quote
  #5  
Old 10 Nov 2010, 15:12
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Originally Posted by vbenhancer View Post
TYPE_NOHTML will do your job...
...except that the OP says that TYPE_NOHTML messed things up. Looking at includes/class_core.php it looks like cleaning a TYPE_NOHTML value does this:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

so maybe you could leave it as TYPE_STR but clean it yourself using the above code, and take out the part that replaces the quotes.
Reply With Quote
  #6  
Old 11 Nov 2010, 15:29
abualjori abualjori is offline
 
Join Date: Feb 2010
Hi !

with a little test.

vbulletin seems to parse bbcode with quotes.



[color="Red"]test[/color]



or even without them.

[color=Red]test[/color]



so I made the same function that kh99 provided but, with stripping every single html char so it replaced it with nothing.




Thank you so much everyone for your input.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 14:08.

Layout Options | Width: Wide Color: