Forum / Development Forum / Rain TPL 3 / problem with charset and htmlspecialchars 


+   Reply to Thread

01/25/12 - 11:56 AM
torrone

 I have a problem.

I compose a page with other small pieces of the pages

Example

TEMPLATE.HTML<html>
<body>
<div id="contenuto">
{$contenuto}
</div>
</body>
</html>

HOME.HTML<div class="pagina">
<h1>Home page</h1>
</div>

HOME.PHP<?php

session_start();

define( "BASE_DIR", substr(dirname($_SERVER['SCRIPT_FILENAME']), 0, strrpos(dirname($_SERVER['SCRIPT_FILENAME']), '/') + 1) );

include BASE_DIR . "inc/rain.tpl.class.php";
include BASE_DIR . "inc/db.php";
include BASE_DIR . "inc/elaborazione.php";
include BASE_DIR . "fun/function.php";
include BASE_DIR . "inc/costanti.php";

raintpl::configure("tpl_dir", BASE_DIR . "tpl/" );
raintpl::configure("cache_dir", BASE_DIR . "tmp/" );

$tpl = new RainTPL;
$contenuto = $tpl->draw( 'varie/HOME', $return_string = TRUE );
$tpl->assign( 'contenuto', $contenuto );
$tpl->draw( 'TEMPLATE' );

?>

everything inside the "content" is transformed<div class="box_paginasx">
<h1>Home page</h1>
</div>

is there a way to solve the problem?

erasing the line 503 fixes the problem, but there is no more converting UTF-8

thanks

Andrea
01/26/12 - 10:30 PM
Rain
Rain Team
 Interesting, I'm working on this bug right now, definitely an error with the UTF-8 encoding, thanks for reporting it!
01/26/12 - 11:01 PM
Rain
Rain Team
 Hey Torrone,
the reason was pretty simple, auto_escape is enabled by default so any HTML assigned as variable is parsed by htmlspecialchars.

The solution is to disable auto_escape:raintpl::configure("auto_escape", false);

I just updated RainTpl 3 on github, now auto_escape is false by default to avoid any problems.

We've to think of how to implement the auto_escape without creating any annoying problems as the one you experienced!

Apologies for this problem and thanks for your bug report!
01/27/12 - 08:27 PM
torrone

 thanks a lot!

in localhost did not give me errors, while on Aruba I found this error in line 154 of rainTpl.php

$code = preg_replace_callback ( "/##XML(.*?)XML##/s", function( $match ){

Parse error: syntax error, unexpected T_FUNCTION in /web/htdocs/www.sito.it/raintpl/rainTpl.php on line 154
01/27/12 - 09:22 PM
Rain
Rain Team
 Hey Torrone,
RainTpl 3 works on PHP 5.3+ and probably Aruba installs an older version.

I strongly suggests you to ask them to update the version, especially since the Hash Collision vulnerability become public, and the PHP team released just a few days after PHP 5.3.9 as patch for it, by introducing the max_input_vars configuration.
http://www.php.net/archive/2012.php#id2012-01-11-1

Here is the video that talk about this vulnerability:
http://www.youtube.com/watch?v=R2Cq3CLI6H8
in a nutshell, by sending a big amount of POST parameters with same name, the server starts using a lot of CPU, with multiple of this attack the server can halt.
01/27/12 - 09:45 PM
torrone

 sorry my mistake ... it was my inadvertence
I updated to 5.3.8 (the latest version of aruba) and everything is ok I think:)

thanks

Andrea

+   Reply to Thread