Slashes Added to Messages and Content

Nuke Soldier Joined: Apr 25, 2005 Posts: 20

For some reason a / is being added before every " when I edit a Message or a Content page. Strangely enough, I don't even have to modify the page, if I simply select it 'for' edit, and never save it, the a / gets added before every ". If I try to edit the Message/Content page again, then another / gets added for every ", so I end up with ////" after 4 attempts to edit, once again, I am 'never' saving the Message or Content Page. The /'s get added for each " on the page, and it totally ruins the Comments and Content. Strangely enough, this problem only appears to occur on edits of Messages, not on newly created Messages. I have not verified if the same holds true for newly created Content pages.

Any idea what is going on guys?

Recently, I have upgraded to 7.5 3.2b patch, BBtoNuke 2.0.21, and Nuke Sentinel 2.5, and I am not sure which one introduced the problem. I didn't think to check edit my Messages or Content pages.

I performed the updates in the following order:

o 3.2b Patch
o BBtoNuke 2.0.14
o BBtoNuke 2.0.15
o BBtoNuke 2.0.16
o BBtoNuke 2.0.17
o BBtoNuke 2.0.18
o BBtoNuke 2.0.19
o BBtoNuke 2.0.20
o BBtoNuke 2.0.21
o Nuke Sentinel Deinstall of 2.22
o Nuke Sentinel Install of 2.5

After each upgrade, I would check the site, and the forums, but I never thought to check the Messages or Content pages.

Any ideas what could cause the problem?

Thanks for the help!

Nuke Soldier Joined: Dec 12, 2005 Posts: 25

As far as I know...it has something to do with the 3.2b patch as I am getting this now after I upgraded!! I have posted in several places trying to get an answer...hopefully we can get one soon!!

Captain Joined: Apr 30, 2004 Posts: 566

I think the Patch team is still puzzled why this is happening.....

The issue is the function check_html in the mainfile.php. The latest patch puts a "check_html" around every database input in every part of the Nuke code. Sooo, whenever you edit any "content", the check_html is going to do that bad thing. This is going to happen each time any double quote is placed in a content area.

In other words, the first time you put in your words and include a double quote, check_html will put in this: /" so the echo will work properly. Then each time you open that part to edit, no matter if you did nothing, check_html will put in another forward slash in front of the double quote. For example, if you first placed one set of double quotes in your initial message, it will display properly. By the 3rd time you have opened it to edit it, once you save it, it will display like this: ///"

There are 3 ways around it:

1. Never use a double quote.

2. Remove the / from in front of " before saving your edits.

3. Remove the check_html from the offending area.

How to do this?

OK, for example, you said you had an issue in the Messages. Open the admin/modules/messages.php Go down to the function editmsg. A few lines down you should find this line of code:

Code:

$content = check_html($row["content"], "");

Replace it with this:

Code:

$content = $row["content"];

What this does is to remove the check_html part so that area will not be checked to see if anything is entered that would go against your $allowablehtml.

I know this goes against what the Patch Team put out, but if you must have double quotes in your text, you must remove check_html or it will do its dirty work.

Nuke Soldier Joined: Dec 12, 2005 Posts: 25

For me...my problem is when I try to edit the Administration block. I don't think I can get around not adding double quotes there! So I guess I'm really just screwed until they figure out a good fix for this!

Nuke Soldier Joined: Apr 25, 2005 Posts: 20

The problem is related to a double quote such as "", it is with a single quote ". For every quote or ", a / is being inserted. For now, I am going directly to the database and adding the data there.

Most troubling is the fact that it is apparently updating the database on every click to edit, without an actual save being performed. This means it must be reading the data, inserting the /, and performing an update to the DB, all before it ever displays it for Edit by an Administrator.

Captain Joined: Apr 30, 2004 Posts: 566

I just explained what to do above. You need to remove the check_html from the content area that is causing you the problem. Please note how the change is made as this same process can be done on any other php file in nuke.

I have seen this similar problem in some other php applications. There is a dating website where I saw many ///////'s in the member profiles. Same issue as is happening here. Each time they would open their member account to edit, even if they did nothing, another slash was added.

---not sure they will find a good fix for this---

Nuke Soldier Joined: Apr 25, 2005 Posts: 20

What is the purpose of the check_html method? Is it part of the security, or only something there to help enforce good HTML coding practices?

Nuke Soldier Joined: Apr 25, 2005 Posts: 20

Can I just comment out the check_html method altogether?

Captain Joined: Apr 30, 2004 Posts: 566

You may be having a problem with the php functions stripslashes/addslashes with whether or not magic_quotes is turned on in your php server config. You DO NOT want to comment out the function checkhtml() in mainfile.php. Big issues if you do.

This is part of the ongoing PHP Nuke security issue.......

sorry

Nuke Cadet Joined: Nov 14, 2003 Posts: 9

I had the same slashes trashing my stories and HTML code wherever a " was used. Looking at analyze.php showed magic_quotes_gpc was turned on in the server's PHP.ini.

...but then I found this in the forums:
http://nukecops.com/postlite54279-magicquotesgpc.html

I used an .htaccess file with

Code:

php_value magic_quotes_gpc off

No more problem!
Thanks Endeavour!