Bug report: Links in custom fields
Posted: Thu Feb 08, 2018 10:09 pm
Script URL:
Version of script: 2.7.5
Hosting company:
URL of phpinfo.php:
URL of session_test.php:
What terms did you try when SEARCHING for a solution:
PHP 7.0
Write your message below:
If I use a custom field and enter an URL, it is changed to a hyperlink (<a href="content">content</a>), which is very helpful.
However, if I then edit the ticket, the quotation marks are not escaped and the <a> is corrupting the html (since the "" in the href break the "" of the value="").
This could be treated by correctly escaping/reintroducing the quotes; however, the field would still contain the full html tag. On save, the interpreter may replace the href by <a></a> again messing things up.
Better:
In line 555 of admin/edit_post.php, one could use mb_ereg_replace to just remove the <a> tags again. When saving the content, the link is just recreated again:
<td width="80%"><input type="text" name="'.$k.'" size="40" maxlength="'.intval($v['value']['max_length']).'" value="'.mb_ereg_replace("<[^>]*>","",$v['value']['default_value']).'" '.$cls.' /></td>
This has the advantage of modifying only one line, in contrast to what would be necessary for the escaping solution explained above.
To reproduce, just open a ticket with a link in a custom textline field. Then, open the ticket in admin mode and go to edit...
Version of script: 2.7.5
Hosting company:
URL of phpinfo.php:
URL of session_test.php:
What terms did you try when SEARCHING for a solution:
PHP 7.0
Write your message below:
If I use a custom field and enter an URL, it is changed to a hyperlink (<a href="content">content</a>), which is very helpful.
However, if I then edit the ticket, the quotation marks are not escaped and the <a> is corrupting the html (since the "" in the href break the "" of the value="").
This could be treated by correctly escaping/reintroducing the quotes; however, the field would still contain the full html tag. On save, the interpreter may replace the href by <a></a> again messing things up.
Better:
In line 555 of admin/edit_post.php, one could use mb_ereg_replace to just remove the <a> tags again. When saving the content, the link is just recreated again:
<td width="80%"><input type="text" name="'.$k.'" size="40" maxlength="'.intval($v['value']['max_length']).'" value="'.mb_ereg_replace("<[^>]*>","",$v['value']['default_value']).'" '.$cls.' /></td>
This has the advantage of modifying only one line, in contrast to what would be necessary for the escaping solution explained above.
To reproduce, just open a ticket with a link in a custom textline field. Then, open the ticket in admin mode and go to edit...