4

I faced the following issue while I submitting my form using jQuery FORM and doing POST submit.

When I type into input field an HTML comment:

< !-- #without space after < symbol

The request never goes submitted and it waits forever.

I believe that the reason is that the HTML comment ruins an XMLHttpRequest object and it never get parsed with PHP. I can just parse out the html comments from input fields before submitting, but something tells me, that its not the best solution to solve this. Does anybody know the best solution to avoid this issue to happen?

The HTML code of my form is the following:

<form method="post" action="/orders/place" class="form a-center" id="orderForm"> 
 <input type="text" x-webkit-speech="" value="Sign text" name="sign" id="sign">
 <textarea rows="7" name="comments" id="comments">Order comments</textarea>
 <p>
  <button id="orderSubmitBtn" class="button" type="submit">
 </p>        
</form>

The Javascript is a simple jQuery form submission: 

var options = {
 dataType: 'json',
 success: function(data) { 
   if (data.ok) {
     //do some action here!
   }
 }
};
$('#orderForm').ajaxSubmit(options);

The only case when it fails is the case when I input an html comment tag.

Also here is the link to the page containing the form http://sandsign.com (Just try entering < !-- text in a sign text a press Lets Go button)

Anton Velikanov
  • 73
  • 6
  • The HTML comment shouldn't matter. Can you show some code? – RoToRa Mar 23 '12 at 10:47
  • @RoToRa, sure - it's just a simple jQuery form submission: `var options = { dataType: 'json', success: function(data) { if (data.ok) { //do some action here! } } }; $('#orderForm').ajaxSubmit(options);` Also it always works! The only case when it fails is the case when I input an html comment. – Anton Velikanov Mar 23 '12 at 11:43
  • The HTML, too. Please add the code to your question by editing it. – RoToRa Mar 23 '12 at 11:50
  • 1
    As far as I can see, that should work fine. See: http://jsfiddle.net/zVh3k/ . An HTML comments in text fields **can't** have any affect on form submission like you are describing. Are you sure you aren't doing something else, like write the content of the comment field to the `innerHTML` (`$().html(...)`) of an element? – RoToRa Mar 23 '12 at 15:02

2 Answers2

1

Instead of parsing just the comment, you could html encoding the textarea content before submiting it and then decode it in the server. These are the functions to html encode/decode something with JQuery:

function htmlEncode(value){
  return $('<div/>').text(value).html();
}

function htmlDecode(value){
  return $('<div/>').html(value).text();
}

via (HTML-encoding lost when attribute read from input field)

And then decode it in PHP with htmlentities:

http://php.net/manual/es/function.htmlentities.php

Community
  • 1
  • 1
Fgblanch
  • 5,195
  • 8
  • 37
  • 51
1

Thanks to RoToRa - I narrowed down my research to PHP script I'm posting to. And realized that it's a bug in Zend Filter class :-(.

The following PHP code with Zend Framework for some reason freezes forever while receiving < !-- as a POST parameter :

$filterChain = new Zend_Filter();
$filterChain->addFilter(new Zend_Filter_StringTrim())
            ->addFilter(new Zend_Filter_StripTags());
$this->getHelper('viewRenderer')->setNoRender();
$signFiltered   = $filterChain->filter($_POST['sign']);

Thanks everybody for advices!

Anton Velikanov
  • 73
  • 6