3

I am developing a web and want to make it so that the user can create some stuff POSTing XML data. For that purpose there is a <textarea> where the user can write (copy/paste) XML and submit it. The problem is that I am losing data: characters such as <, >, and I think others too, get lost.

Maybe it is a framework problem, not sure, I am using Elgg and receiving the data with get_input().

UPDATE1: some code answering the comment:

<form method="POST" action="http://for.bar/slash" enctype="text/xml">
<input name="add" type="submit" value="Create"  />
</form>

to receive the data I use elgg get_input()

$data = get_input('data');
Jason Plank
  • 2,336
  • 5
  • 31
  • 40
conradsteink
  • 128
  • 2
  • 7
  • According to [this answer](http://stackoverflow.com/a/2088880/1497596) to the question [How to post XML to server thru HTML form?](http://stackoverflow.com/q/2088862/1497596), `text/xml` is *not* a permitted value for the `enctype` attribute. – DavidRR May 27 '14 at 00:36

2 Answers2

1

If i where to make a wild guess I'd say that there is some kind of auto-magical xss protection being used by get_input(). You could try doing a print_r($_POST); or perhaps elgg is "sanitizing" all of $_POST as well. In this case you may have to base64 encode the data with JavaScript before submitting the request.

rook
  • 66,304
  • 38
  • 162
  • 239
  • You was right! Thx a lot. The get_input() function has a $filter_result = true parameter. – conradsteink Feb 24 '10 at 23:47
  • +1. Yeah, this results in the input being manged by `htmlawed_filter_tags`, which tries to make the input HTML whether it was supposed to be HTML or not. XSS “protection” at the input stage is **always the wrong thing**, and this is a particularly bad example of it. I strongly question the competence of the developers of this package. – bobince Feb 25 '10 at 00:37
  • That is a nasty "feature" that is all too common. I agree that it is the wrong place for an xss filter. I am glad I can help! – rook Feb 25 '10 at 02:56
0

According to MDN, the only standard values that should be used in form's enctype attribute are following:

  • application/x-www-form-urlencoded
  • multipart/form-data
  • text/plain

That being said, you can run into unpredictable situations having it to have value application/xml.

Source: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form#attr-enctype

Fusion
  • 5,046
  • 5
  • 42
  • 51