"Allow Tags in POST" (such as 'script' tag is not being observed, but instead being stripped)

70 Posts

vrdriver Reply #1, 10 years, 8 months ago

Hi All,

I've got a problem and it's driving me crazy.

I'm trying to $_POST this content:

	<title>Page Title</title>
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<link rel="stylesheet" href="http://code.jquery.com/mobile/1.3.2/jquery.mobile-1.3.2.min.css" />
	<script src="http://code.jquery.com/jquery-1.9.1.min.js"></script>
	<script src="http://code.jquery.com/mobile/1.3.2/jquery.mobile-1.3.2.min.js"></script>
	
</head>
<body>

<div data-role="page">

	<div data-role="header">
		<h1>Page Title</h1>
	</div><!-- /header -->

	<div data-role="content">

to a (self) page, and then read and store that data. The trouble is that when I do, I get the follow results returned:

	<title>Page Title</title>
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<link rel="stylesheet" href="http://code.jquery.com/mobile/1.3.2/jquery.mobile-1.3.2.min.css" />
	
	
	
</head>
<body>

<div data-role="page">

	<div data-role="header">
		<h1>Page Title</h1>
	</div><!-- /header -->

	<div data-role="content">

As you can see, the "Script" tag and it's contents are missing. This is weird, because I have "Allow Tags in POST" to YES.
Is this a context thing? I'm POSTing the content (as a logged in user) as a web user with the correct permission. I know the POST script works, because the other fields work, and the current field is saved when other text tests.

This is a sample of the POST retrieval code:

...
        $pt_content_header = htmlentities($_POST['pt_content_header'], ENT_QUOTES);
        $pt_content_footer = htmlentities($_POST['pt_content_footer'], ENT_QUOTES);
         $user_id = $modx->user->get('id');
     	 $sql = "insert into test_templates 
        (pt_client, pt_client_edited_by, pt_name, pt_content_css, pt_content_header, pt_content_footer)
        Values ('" . $clientid . "','" . $user_id . "','" . $pt_name . "', '" . $pt_content_css . "', '" . $pt_content_header . "', '" . $pt_content_footer . "')";
        $results = $modx->query($sql); 
        echo $results;

And sample of the form:

 echo '<form id="theme" method="post" action="index.php?id=' . $id . '&tid=' . $tid . '&task=2">';
  echo "<b>Header</b> (<a href=\"javascript:DefaultHeader();\">Default</a>)<br>\n";
  echo '<textarea rows="8" cols="50" name="pt_content_header" type="text">'. ($row['pt_content_header']). '</textarea>';

Any suggestions would be great. Thanks, Steve

This question has been answered by multiple community members. See the first response.

[ed. note: vrdriver last edited this post 10 years, 8 months ago.]

☆ A M B ☆
279 Posts

bertoost Reply #2, 10 years, 8 months ago

How do you submit the data? Do you use FormIt or something?

MODX Ambassador (NL) & Professional MODX developer
Follow me on Twitter | Visit my page on Facebook | View my code on Github | View my script posts
MODX e-commerce solution SimpleCart

70 Posts

vrdriver Reply #3, 10 years, 8 months ago

I'm doing it from a file based template snippet as I'm using other tables outside the modx db.
thanks for the quick reply

24,544 Posts

BobRay Reply #4, 10 years, 8 months ago

If you are running from the command line, any permission-related tests are usually bypassed.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

70 Posts

vrdriver Reply #5, 10 years, 8 months ago

It's a self contained snippet that handles the $_POST and the form tag, and is integrated in to page which, I'm inside a template through a normal browser.

The problem lies with content being stripped out of my POSTed values. At this stage it's the $_POST['pt_content_header'] field.

I'm using the basic modx log in profile system that works fine too with editing of other users etc, so I'm fairly sure that's not the issue.

To get better context and help identify where I've gone wrong, this is what I've created so far. I'm a little ashamed of posting my code, because it's not 'pretty', nice to look at or finished, but this is it:

Standard Foundation Template:

<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en"> <![endif]-->
<!--[if IE 7]>    <html class="no-js lt-ie9 lt-ie8" lang="en"> <![endif]-->
<!--[if IE 8]>    <html class="no-js lt-ie9" lang="en"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en"> <!--<![endif]-->
	<head>
		[[$head]]
	</head>
	<body>
		[[$navbar]]
		<div class="row content">
			[[*id:isnot=`[[++site_start]]`:then=`[[$breadcrumb]]`]]
			[[$content]]
			[[$footer]]
		</div>
	</body>
</html>

The content of my page (index.php?id=9)

Manage and edit your poll templates.

[[polladmin_template_edit_select]]

Snippet: polladmin_template_edit_select

(Still being developed)

<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');
 
/*
// Show all POST/GET events.

 foreach ($_REQUEST as $key=>$val)
{
  echo $key .' = '. htmlentities($val) . '<br />';

}
*/

if(isset($_GET['id'])) 
{
	$id = (int)$_GET['id'];
}
   
if(isset($_GET['task'])) 
{
	$tasktype = (int)$_GET['task'];
}

if(isset($_GET['task'])) 
{
	$tasktype = (int)$_GET['task'];
}


if(isset($_GET['tid'])) 
{
	$tid = (int)$_GET['tid'];
}


?>

<script type="text/javascript">
	function DefaultHeader()
	{
		 $('#pt_content_header').val('<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">\n</head>\n<body>\n<h1>Vote Now</h1>'); 
	}
</script>



<?php


// Default text

if (empty($_POST) && $tasktype==0  )
{
    // Display the groups a user is in:
    echo "You are listed with the following user group creditials: <br><br>";    
    
	foreach($modx->user->getUserGroupNames( ) as $group) {
        echo "{$group}<br>";
    }    
    echo '<br><a href="index.php?id=' . $id . '&task=2">Create a new template</a>';    
}




// If the page is being Saved

if (!empty($_POST))
{
     
    
    if(isset($_POST['pt_id'])) 
    {
        $pt_id = (int)$_POST['pt_id'];
    }
    
    
  if($pt_id) // means it's an update.
  {
         //$pt_content_header = $modx->sanitizeString($_POST['pt_content_header']);  // sanitizeString removes all codes and other stuff. Don't use yet.
        $pt_name = htmlentities($_POST['pt_name'], ENT_QUOTES);
        $pt_content_css = htmlentities($_POST['pt_content_css'], ENT_QUOTES);
        $pt_content_footer = htmlentities($_POST['pt_content_footer'], ENT_QUOTES);
        $pt_content_header = htmlentities($_POST['pt_content_header'], ENT_QUOTES);
      
	    
        //update the record now.
        
        $sql = "UPDATE polls_templates SET
        pt_name = '" . $pt_name . "',
        pt_content_css = '" . $pt_content_css . "',
        pt_content_header = '" . $pt_content_header . "',
        pt_content_footer = '" . $pt_content_footer . "'
        WHERE pt_id= '". $pt_id . "'"; 
		
        $results = $modx->query($sql);
    
  } else
  {
  
//  echo "t";
  
     if(($_POST['pt_new']=='new') && ($_GET['task']=='2'))
     {
     	// it's a new entry.
        
   	  //$pt_content_header = $modx->sanitizeString($_POST['pt_content_header']);  // recommended! 
	  
	  //clientid
        $clientid = htmlentities($_POST['clientid'], ENT_QUOTES);
		$pt_name = htmlentities($_POST['pt_name'], ENT_QUOTES);
        $pt_content_css = htmlentities($_POST['pt_content_css'], ENT_QUOTES);
        $pt_content_header = htmlentities($_POST['pt_content_header'], ENT_QUOTES);
        $pt_content_footer = htmlentities($_POST['pt_content_footer'], ENT_QUOTES);
         $user_id = $modx->user->get('id');
     	 $sql = "insert into polls_templates 
        (pt_client, pt_client_edited_by, pt_name, pt_content_css, pt_content_header, pt_content_footer)
        Values ('" . $clientid . "','" . $user_id . "','" . $pt_name . "', '" . $pt_content_css . "', '" . $pt_content_header . "', '" . $pt_content_footer . "')";
        
        echo $sql;
        
        
        //$sql = "SELECT * FROM `polls_templates` where pt_id = '" . $tid . "' LIMIT 1";
        $results = $modx->query($sql);
        //echo $sql;
        echo $results;
     
	 	echo '<a href="index.php?id=' . $id . '">Continue</a>';
     
     } 
   }
   
   
    if ($results) 
    { echo "Changes saved"; } else { echo "Save failed"; };
    
    }





// Standard Page

if($tasktype==0) 
{



   
    $templates = array();
    foreach($modx->user->getUserGroups( ) as $group) {     
        $templates[] =  $group;    
    }
    
    $templates_id = "'" . implode("', '", $templates ) . "'";
    $query = "SELECT * FROM voting_modx.polls_templates where pt_client IN($templates_id)";
   // echo $query;
   
    echo "<br><br>";
    echo "Your Available templates:<br>\n";
 
     foreach ($modx->query($query) as $row) 
    {
        echo '<div class="theme_names"><a href="index.php?id=' . $id . '&tid=' . $row['pt_id'] .'">' . $row['pt_name'] .'</a> - ';
        echo '<a href="index.php?id=' . $id . '&tid=' . $row['pt_id'] .'&task=1">Edit</a></div>';
    } 
      
      
}
      
      
      
      
// Means we are editing the selected template      
if($tasktype==1)
{

 
    $sql = "SELECT * FROM `polls_templates` where pt_id = '" . $tid . "' LIMIT 1";
    echo "<br>";
    echo "<b>Your Current Theme Code:</b><br>\n"; 
	echo "<p><a href=\"vote/view_template.php?tid=" . $tid ."&preview=1\" onclick=\"positionedPopup(this.href,'TemplatePreview','300','600','100','200','yes');return false\">Preview this template</a></p>";
    echo "<br>";

    echo '<form id="theme" method="post" action="index.php?id=' . $id . '&tid=' . $tid . '&task=1">';
    
    
        foreach ($modx->query($sql) as $row) 
	{ 
    		echo "<b>Theme Name</b><br>\n";
            echo '<input name="pt_name" id="pt_name" type="text" value="' . $row['pt_name']. '">'; 
 	   		echo '<input name="pt_id" id="pt_id" type="hidden" value="' . $row['pt_id'] . '">';
            echo '<input name="pt_client" id="pt_client" type="hidden" value="' . $row['pt_client']. '">';
            echo "<b>CSS</b><br>\n";
            echo '<textarea rows="8" cols="50" name="pt_content_css" id="pt_content_css" type="text">'. $row['pt_content_css']. '</textarea>';            
            echo "<b>Header</b> (<a href=\"javascript:DefaultHeader();\">Default</a>)<br>\n";
            echo '<textarea rows="8" cols="50" name="pt_content_header" id="pt_content_header" type="text">'. $row['pt_content_header']. '</textarea>';
            echo "<b>Footer</b><br>\n";
            echo '<textarea rows="8" cols="50" name="pt_content_footer" id="pt_content_footer" type="text">' . $row['pt_content_footer']. '</textarea>'; 
           echo "<br><br>";
    } 
    
    echo '<input type="submit" name="submit" value="Save Results" />';
    echo '<input type="reset" name="reset" value="Reset" />';
    echo '<a href="index.php?id=' . $id . '">Cancel</a>';
    echo '</form>';

}      
        
 
  
  
// Means we are creating a new template      
if($tasktype==2)
{

 
  echo "<br>";
  echo "<b>Your Current Theme Code:</b><br>\n"; 
  echo "<p>Preview available when you first save this template.</p>";
  echo "<br>";

  echo '<form id="theme" method="post" action="index.php?id=' . $id . '&tid=' . $tid . '&task=2">';
  echo '<input name="pt_id" id="pt_id" type="hidden">';
  echo '<input name="pt_new" id="pt_new" type="hidden" value="new">';
  echo '<input name="pt_client" id="pt_client" type="hidden">'; 
    
  echo "<b>Theme Account</b>:<br>"; 
  echo "<Select id=\"clientid\" name=\"clientid\">";
  
  $query = "SELECT * FROM modx_member_groups, modx_membergroup_names WHERE user_group = modx_membergroup_names.id AND modx_member_groups.member = '" . $modx->user->get('id') . "'";
    
  foreach ($modx->query($query) as $row)  
 	{		
		if($row['name']!= "Protected") // not allowed to add things to the protected default templates.
		{
    		echo '<option value=' . $row['user_group'] .'">' . $row['name'] .'</option> - '; 
		}
	}
    echo "</select><br><br>\n";
    echo "<b>Theme Name</b><br>\n";
	echo '<input name="pt_name" id="pt_name" type="text" >'; 
	echo "<b>CSS</b><br>\n";
	echo '<textarea rows="8" cols="50" name="pt_content_css" id="pt_content_css" type="text">'. $row['pt_content_css']. '</textarea>';
	echo "<b>Header</b> (<a href=\"javascript:DefaultHeader();\">Default</a>)<br>\n";
	echo '<textarea rows="8" cols="50" name="pt_content_header" type="text">'. htmlentities($row['pt_content_header']). '</textarea>';
	echo "<b>Footer</b><br>\n";
	echo '<textarea rows="8" cols="50" name="pt_content_footer" id="pt_content_footer" type="text">' . $row['pt_content_footer']. '</textarea>';
	echo "<br><br>";
	echo '<input type="submit" name="submit" value="Save Results" />';
    echo '<input type="reset" name="reset" value="Reset" />';
    echo '<a href="index.php?id=' . $id . '">Cancel</a>';
    echo '</form>';

}      
        
 
return $output;

24,544 Posts

BobRay Reply #6, 10 years, 8 months ago

I don't see any place where the $_POST values are being set. Is there a form in the page content?

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

70 Posts

vrdriver Reply #7, 10 years, 8 months ago

The form for this is on line 187, and the values get POSTed back.
[ed. note: vrdriver last edited this post 10 years, 8 months ago.]

24,544 Posts

BobRay Reply #8, 10 years, 8 months ago

So it it. Sorry, I guess I didn't scroll down far enough.

I'm still not clear on how you are executing the script. Is it a snippet in MODX?

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

70 Posts

vrdriver Reply #9, 10 years, 8 months ago

Hi Bob, yes, it's a static snippet and included on a page. I'm sure it's a layer of security I'm missing... but I can't figure out where to stop ModX from stopping the <'script'> tag from my posted values.

Have you seen HTML tags removed like this before? [ed. note: vrdriver last edited this post 10 years, 8 months ago.]

discuss.answer

70 Posts

vrdriver Reply #10, 10 years, 8 months ago

I had an "ahh haa" moment tonight. This got me thinking and I did some even more digging around.

I believe I have solved this now by adding a setting to the web context. I feel so dumb. I knew it was 'something' to do with permissions.

This is how I solved it.

I added a setting called "allow_tags_in_post" and made the key "allow_tags_in_post" and set the value to "1".

Thanks guys for originally assisting. Gotta love ACL!

This is why I'm using them. Heaps of permissions, and lots of permissions. laugh

I'll call this case closed for now.

Answered "Allow Tags in POST" (such as 'script' tag is not being observed, but instead being stripped)