<> in Html in post
#1
Sorry for the title but I really didn't know what to put.
I noticed that in HTML-enabled forums there is a problem with <>.
Whatever I type between the two <> is always understood as code and therefore the result is invisible posts. Here is an example

If I write <how are you> it is invisible. If I write how are you it is visible. This applies to every word between the two <>.

I share some screenshots to explain myself better

I hope I have been clear and thank you for your attention


Attached Files Thumbnail(s)
           
Reply
#2
This is normal: you allow html, so the content of the post is read as html. Anything between < and > is a html tag, it won't be displayed but interpreted.
You have to use html entities (&laquo; &raquoWink to have them displayed, like in any html content.
Tchat en français
Do not ask me help through PM or Discord

Reply
#3
https://www.w3schools.com/html/html_entities.asp Wrote:Reserved characters in HTML must be replaced with entities:
< (less than) = &lt;
> (greather than) = &gt;

HTML Character Entities
Some characters are reserved in HTML.
If you use the less than (<) or greater than (>) signs in your HTML text, the browser might mix them with tags.
Entity names or entity numbers can be used to display reserved HTML characters.

One line of questions a forum admin should be asking is "Do I need to enable HTML in posts? If it is for a small use case, can it be achieved with MyCode instead?"

Otherwise, <> are reserved characters and cause your posts to appear as intended.
Reply
#4
Woops yes, &lt; and &gt;. I don't know why I spoke about raquo Smile
Tchat en français
Do not ask me help through PM or Discord

Reply
#5
So everything is normal from what I understand. More to the point, before, despite always having html in the forum activated, it wouldn't pick up anything. At this I wonder ‘is there something where only the administrator can use html in post?’.
Reply
#6
(2024-09-27, 11:03 AM)Crazycat Wrote: This is normal: you allow html, so the content of the post is read as html. Anything between < and > is a html tag, it won't be displayed but interpreted.
You have to use html entities (&laquo; &raquoWink to have them displayed, like in any html content.
of course is not normal ,  when option is "Allow HTML" this mean only valid HTML tag , not everything is between <> , and is not make sense for each post he force to use enitities to fix this ( It can be used as a temporary solution )

(2024-09-27, 01:05 PM)SELLECK87 Wrote: So everything is normal from what I understand. More to the point, before, despite always having html in the forum activated, it wouldn't pick up anything. At this I wonder ‘is there something where only the administrator can use html in post?’.

one way to fix this is  in mybb core mybb developers can use preg_replace_callback check string that are like <NAME...> or </NAME> and if is not real html tag use htmlspecialchars function Convert special characters of it to HTML entities and this way in post you only can see valid html .
Reply
#7
I remain fascinated by your knowledge. Yes indeed, as far as I understand it, not everything is html between <> because the problem could also occur if I do <<hi>> with the double <>.
Reply
#8
(2024-09-27, 01:18 PM)Mostafa.Shiraali Wrote: of course is not normal ,  when option is "Allow HTML" this mean only valid HTML tag , not everything is between <> , and is not make sense for each post he force to use enitities to fix this ( It can be used as a temporary solution )

I think you're wrong: allow html doesn't transform content in html entities, it allows to keep them as they are typed (except for some tags as base, meta, script and style). So, the browser interprets < and > as html tags, and don't display them, it displays only what it "interprets" as content.
This is exactly the same if you create a simple html page with <hi> in it, it won't be displayed.
Tchat en français
Do not ask me help through PM or Discord

Reply
#9
(2024-09-27, 02:27 PM)Crazycat Wrote:
(2024-09-27, 01:18 PM)Mostafa.Shiraali Wrote: of course is not normal ,  when option is "Allow HTML" this mean only valid HTML tag , not everything is between <> , and is not make sense for each post he force to use enitities to fix this ( It can be used as a temporary solution )

I think you're wrong: allow html doesn't transform content in html entities, it allows to keep them as they are typed (except for some tags as base, meta, script and style). So, the browser interprets < and > as html tags, and don't display them, it displays only what it "interprets" as content.
This is exactly the same if you create a simple html page with <hi> in it, it won't be displayed.
Allow HTML mean I allow wrote HTML code in my content and mybb instead of print them echo them as executable HTML code , so for this mybb need to detect which part of text is HTML and which part is not, this is called data validation , also as you mentioned " allow html doesn't transform content in html entities, it allows to keep them as they are typed " this option for html codes not other things, so when it is enabled it must detect html code from other, otherwise Based on your reasoning for example not need check post message for XSS attacks or ... I can say editor is for user to write everything he like (based on your reasoning ) !!!!!
Reply
#10
class_parser.php :
      if(empty($this->options['allow_html']))
      {
         $message = $this->parse_html($message);
         $message = str_replace("&lt;mybb-code&gt;\n", "<mybb-code>\n", $message);
      }
      else
      {
         // Replace base, meta,script and style tags in our post - these are > dangerous <
         $message = preg_replace('#<(/?)(base|meta|script|style)([^>]*)>#i', '&lt;$1$2$3&gt;', $message);
         $message = $this->fix_javascript($message);

         $find = array("<br />\n", "<br>\n");
         $replace = array("\n", "\n");
         $message = str_replace($find, $replace, $message);
      }
In else case (so, allow_html is set to 1), just a few protections are done.
when allow_html is set to 0, full escape of html is done;
   function parse_html($message)
   {
      $message = preg_replace("#&(?!\#[0-9]+;)#si", "&amp;", $message); // fix & but allow unicode
      $message = str_replace("<","&lt;",$message);
      $message = str_replace(">","&gt;",$message);
      return $message;
   }
Tchat en français
Do not ask me help through PM or Discord

Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)