H

[ Video Sharing CMS v4 ] Inclusion of <br /> tags in scripts

Started by Hersh,

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Go Down Pages1

HershTopic starter

I'm having issues with PHPVibe adding line break tags to Google Analytics and Adsense codes. It doesn't look like the line breaks are being inserted into the db though. It's just adding line breaks to the script when it renders it on the page.

Example Ad Sense:

Code Select 
<div class="static-ad"><script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><br />
<!-- Responsive Ad Unit --><br />
<ins class="adsbygoogle"<br />
     style="display:block"<br />
     data-ad-client="ca-pub-*************"<br />
     data-ad-slot="********"<br />
     data-ad-format="auto"></ins><br />
<script><br />
(adsbygoogle = window.adsbygoogle || []).push({});<br />
</script>



Google Analytics:

Code Select 
<script>(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){<br />
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),<br />
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)<br />
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');<br />
<br />
ga('create', 'UA-******-1', 'auto');<br />
ga('send', 'pageview');</script>
  •  

HershTopic starter

#1
Ok, I figured it out. This is the cause:

Code Select 
function _html($txt){
return nl2br(stripslashes(html_entity_decode($txt, ENT_QUOTES, 'UTF-8')));
}
  •  

Marius P.

#2
See this:

Quote from: @Mario on
Ok, here is a brief update:

lib/functions.html.php

Find:

Code Select 
//This light function strips everything...no questions asked
//...except for some few safe html tags



Replace the function under this comment with :



Code Select 
function antixss_light($text) {
$text = preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $text );
$text  = strip_tags($text);
//Remove external scripts
$search = array(
    '@<script[^>]*?>.*?</script>@si',   // Strip out javascript
    '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
    '@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
  );
$tx_output = preg_replace($search, '', $text);
//Deep remove the rest
$injections = array('<script','iframe','<object','applet','<embed','onblur',');>','onchange','onclick','ondblclick','onfocus','onkeydown','onkeypress','onkeyup','onload','onmousedown','onmousemove','onmouseout','onmouseover','onmouseup','onreset','onselect','onsubmit','onunload', '<src','<img src','onerror','prompt(','alert(', 'document.body.innerHTML', 'document.body', 'document.title','<!--','innerHTML');
$output  = str_replace($injections, '', $tx_output);
return $output;
}


Happy with my help? Buy me a coffee.
Please, always use the search before opening a new topic! We're all here on our (limited) free time! Make sure you help yourself too!
  •  

HershTopic starter

#3
Last Edit: by Hersh
Yeah, the anti XSS code, I have seen that. I updated it the other day. I thought maybe it might have caused the issue but it appears this modification I made (per your suggestion) is what actually caused the problem:

Code Select 
function _html($txt){
return nl2br(stripslashes(html_entity_decode($txt, ENT_QUOTES, 'UTF-8')));
}


I switched it back to the original:
Code Select 
function _html($txt){
return stripslashes(html_entity_decode($txt, ENT_QUOTES));
}


The anti XSS function doesn't appear to have anything to do with it.
  •  

Marius P.

#4
I think the ads system needs a different output function than _html.
This is something at the moment I was unaware off, so thanks!
Happy with my help? Buy me a coffee.
Please, always use the search before opening a new topic! We're all here on our (limited) free time! Make sure you help yourself too!
  •  

HershTopic starter

#5
^^Anytime. Don't forget Analytics codes as well!
  •  
Go Up Pages1

Similar topics (7)