[ Video Sharing CMS v4 ] Inclusion of <br /> tags in scripts

Started by Hersh,

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

HershTopic starter

I'm having issues with PHPVibe adding line break tags to Google Analytics and Adsense codes. It doesn't look like the line breaks are being inserted into the db though. It's just adding line breaks to the script when it renders it on the page.

Example Ad Sense:

<div class="static-ad"><script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><br />
<!-- Responsive Ad Unit --><br />
<ins class="adsbygoogle"<br />
     style="display:block"<br />
     data-ad-client="ca-pub-*************"<br />
     data-ad-slot="********"<br />
     data-ad-format="auto"></ins><br />
<script><br />
(adsbygoogle = window.adsbygoogle || []).push({});<br />
</script>



Google Analytics:

<script>(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){<br />
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),<br />
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)<br />
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');<br />
<br />
ga('create', 'UA-******-1', 'auto');<br />
ga('send', 'pageview');</script>
  •  

HershTopic starter

Ok, I figured it out. This is the cause:

function _html($txt){
return nl2br(stripslashes(html_entity_decode($txt, ENT_QUOTES, 'UTF-8')));
}
  •  

Marius P.

See this:

Quote from: @Mario on
Ok, here is a brief update:

lib/functions.html.php

Find:

//This light function strips everything...no questions asked
//...except for some few safe html tags



Replace the function under this comment with :



function antixss_light($text) {
$text = preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $text );
$text  = strip_tags($text);
//Remove external scripts
$search = array(
    '@<script[^>]*?>.*?</script>@si',   // Strip out javascript
    '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
    '@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
  );
$tx_output = preg_replace($search, '', $text);
//Deep remove the rest
$injections = array('<script','iframe','<object','applet','<embed','onblur',');>','onchange','onclick','ondblclick','onfocus','onkeydown','onkeypress','onkeyup','onload','onmousedown','onmousemove','onmouseout','onmouseover','onmouseup','onreset','onselect','onsubmit','onunload', '<src','<img src','onerror','prompt(','alert(', 'document.body.innerHTML', 'document.body', 'document.title','<!--','innerHTML');
$output  = str_replace($injections, '', $tx_output);
return $output;
}


Happy with my help? Buy me a coffee.
Please, always use the search before opening a new topic! We're all here on our (limited) free time! Make sure you help yourself too!
  •  

HershTopic starter

Yeah, the anti XSS code, I have seen that. I updated it the other day. I thought maybe it might have caused the issue but it appears this modification I made (per your suggestion) is what actually caused the problem:

function _html($txt){
return nl2br(stripslashes(html_entity_decode($txt, ENT_QUOTES, 'UTF-8')));
}


I switched it back to the original:
function _html($txt){
return stripslashes(html_entity_decode($txt, ENT_QUOTES));
}


The anti XSS function doesn't appear to have anything to do with it.
  •  

Marius P.

I think the ads system needs a different output function than _html.
This is something at the moment I was unaware off, so thanks!
Happy with my help? Buy me a coffee.
Please, always use the search before opening a new topic! We're all here on our (limited) free time! Make sure you help yourself too!
  •  

HershTopic starter

^^Anytime. Don't forget Analytics codes as well!
  •  

Similar topics (7)