3

I am developing a web and want to make it so that the user can create some stuff POSTing XML data. For that purpose there is a <textarea> where the user can write (copy/paste) XML and submit it. The problem is that I am losing data: characters such as <, >, and I think others too, get lost.

Maybe it is a framework problem, not sure, I am using Elgg and receiving the data with get_input().

UPDATE1: some code answering the comment:

<form method="POST" action="http://for.bar/slash" enctype="text/xml">
<input name="add" type="submit" value="Create"  />
</form>

to receive the data I use elgg get_input()

$data = get_input('data');
Improve this question
1

2 Answers 2

Reset to default
1

If i where to make a wild guess I'd say that there is some kind of auto-magical xss protection being used by get_input(). You could try doing a print_r($_POST); or perhaps elgg is "sanitizing" all of $_POST as well. In this case you may have to base64 encode the data with JavaScript before submitting the request.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

You was right! Thx a lot. The get_input() function has a $filter_result = true parameter.
+1. Yeah, this results in the input being manged by htmlawed_filter_tags, which tries to make the input HTML whether it was supposed to be HTML or not. XSS “protection” at the input stage is always the wrong thing, and this is a particularly bad example of it. I strongly question the competence of the developers of this package.
That is a nasty "feature" that is all too common. I agree that it is the wrong place for an xss filter. I am glad I can help!
0

According to MDN, the only standard values that should be used in form's enctype attribute are following:

  • application/x-www-form-urlencoded
  • multipart/form-data
  • text/plain

That being said, you can run into unpredictable situations having it to have value application/xml.

Source: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form#attr-enctype

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.