MyBB Community Forums

MyBB Community Forums > Resources > MyCodes > Does MyBB escape html?
Full Version: Does MyBB escape html?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Guy_de_Siguro

2013-07-02, 06:39 PM
I've got this regex;
\[rcode\](.*?)\[/rcode\]

and this html output;
<div style="width:45%; display:inline-table;">$1</div><div style="width:45%; display:inline-table;">$1</div>

but it doesn't simply render the input twice on either side... for an input like so;
<div class="progress">
  <div class="bar" style="width: 60%;">
  </div>
</div>

it produces a load of crap in the actual html.
<div style="width:45%; display:inline-table;">&lt;div class="progress"&gt;&lt;div class="bar" style="width: 60%;"&gt;&lt;/div&gt;&lt;/div&gt;</div><div style="width:45%; display:inline-table;">&lt;div class="progress"&gt;&lt;div class="bar" style="width: 60%;"&gt;&lt;/div&gt;&lt;/div&gt;</div>

any ideas? I want it to technically render the code inputted on the left on the right to visually show how code works.

Dannymh

2013-07-06, 12:43 AM
Yes it does without it you are opening up your site to being hacked through injection. You can allow html which would help or you cam put in the escaped string.

Html os parsed on input with db-> escape_string and on output with the parser

$ parser-> parse_post I think from memory

Guy_de_Siguro

2013-07-07, 01:48 PM
hmmm, thanks... I think I have an idea on how to get this done safely... though i'll have to try it first Smile
MyBB Community Forums > Resources > MyCodes > Does MyBB escape html?