CODEWITHSUNDEEP
phphtml
Kaboom
Kaboom

Reputation: 684

PHP File Editor - Working out some bugs

I have made an online file editor and file manager script for my web development company so that our hosted website users can manage their own files and edit their templates as they feel fit. It is coded in PHP and allows users to edit html, text, php, js, jquery, and any text based file. Since we only really support english languages and code everything in utf-8, it has been built to support the utf-8 encoding.

Unfortunately, there is a small issue I noticed during testing. Since I am using htmlentities and then using html_entities_decode when they are saved (submitted), anything a user enters that they WANT to stay as an htmlentity is then also converted by my code.

Here is an image to illustrate the issues we are experiencing: enter image description here

Here's the process I am using to write to the contents of the textarea to the original file:

if(isset($_POST['filecontents'])) {
    $contents = $_POST['filecontents'];
    $filecontents = html_entity_decode($contents, ENT_NOQUOTES, "UTF-8");
    $fileloc = "/htdocs/usr/". $_POST['filename'];
    $filewrite = fopen($fileloc, "w");
    fwrite($filewrite, $filecontents);
    fclose($filewrite);
    die();
}

Since I am using htmlentities to output the file into an editable textarea it comes out looking proper in the text area, but when it is saved, it converts all the items instead of just the ones I want converted, so when they resubmit the page, they lose copyright symbols, registered symbols, menu buttons and the like. If I DON'T use the htmlentities before I output it to the page, then any php script code will try and run because its being echoed out and any closing tags like </textarea> could cause huge issues for the script.

Question time:: Is there a way to properly replace all of the open and close tags, ie < and > in the file with their htmlentities alternative but not replace ANY other entity in the script? That way anything else that is entered will be properly saved into the file afterwards.

Upvotes: 2

Views: 82

Answers (1)

SLaks
SLaks

Reputation: 887413

You should not call html_entity_decode().

htmlentities() is necessary to insert arbitrary content into HTML source. However, the POST from the browser is raw text, and is not HTML encoded.

Upvotes: 4

Related Questions