0

I have an CKeditor box which upon submission converts special characters to html codes for example: ' becomes '

If there is a ' character in an image alt text or any other html attribute, it doesn't escape and thus, breaks some of my functions. Is there a way around this?

I've not made any modifications to configuration etc. it's the standard setup for CKEditor.

Is there a way to overcome this? Any adjustments would need to be made server side (php).

CKEditor auto escapes certain characters so it works with javascript, but the function they have to auto escape characters ignores html attributes for some reason. An image alt called "I'm Dancing" would break it.

Basically I have an input form, which collects the data in the fields and sends it to the database just fine. But when I want to use my edit form (which auto-populates the CKEditor with the database contents), the javascript to set the text to the CKEditor fails because of the problem mentioned above. The text originally came from CKEditor and is being returned to CKEditor from the database for editing.

Dan Hanly
  • 7,829
  • 13
  • 73
  • 134
  • what queries you are talking about? SQL queries? – Your Common Sense Mar 23 '11 at 08:57
  • yes, but before that it breaks the AJAX parameters string and some other javascript processing I have. I've not touched regex ever, so I've no idea how to replace a character such as ' with ' throughout my code. However, what I was hoping to target here was the cause for these being there at all. I'm confident I could use a regex to replace the character before it hits javascript, but I shouldn't have to should I? CKEditor should take care of this. – Dan Hanly Mar 23 '11 at 09:19
  • dunno about CK but broken SQL queries it completely your own fault. – Your Common Sense Mar 23 '11 at 09:25
  • thanks for the constructive advice @Col - I actually haven't gotten as far as writing the SQL Query yet, it breaks my javascript BEFORE the query – Dan Hanly Mar 23 '11 at 09:26
  • @Daniel: Your Javascript shouldn't be putting user-generated strings in a context where certain characters can break things (e.g. via eval). Show us your code and we can help you to fix it instead of adding probably useless escaping. – ThiefMaster Mar 23 '11 at 09:32
  • don't be so sarcastic, lol. It's my role. I just can't believe that being member for 7 months you have never heard none of scaring tales of SQL injections, told by every-friggin-one here :) SQL query should be built up according to some strict rules, and your broken queries just says that you don't follow them. if you really interested in the topic, here you are: http://stackoverflow.com/questions/2993027/in-php-when-submitting-strings-to-the-db-should-i-take-care-of-illegal-characters/2995163#2995163 – Your Common Sense Mar 23 '11 at 09:34
  • I use mysql_real_escape_string to escape for database, and I'm pretty careful with injection. Like I said above, it's the javascript before the queries not the queries themselves – Dan Hanly Mar 23 '11 at 09:39
  • Hmm, the edited version makes sense now, but I still have no idea what made you to write about broken SQL queries... – Your Common Sense Mar 23 '11 at 09:45
  • 1
    I said query but I meant function - It's early, don't judge ;) – Dan Hanly Mar 23 '11 at 09:59

1 Answers1

0

I had a similar problem with backround images once. I fixed it with htmlentities()

Pranav Hosangadi
  • 23,755
  • 7
  • 44
  • 70
rosc0
  • 1
  • 1