Forums | Mahara Community

Developers /
Pieform | HTML Tags in title attribute


anonymous profile picture
Deleted user
Posts: 12

10 February 2012, 11:25 AM

Hi guys,

I hope I post to the right forum section. I already did some research on the internet on these topic but didn't find any satisfing information.

I am try to push a link into my pieform. But it seems that the html '<a ..>" - tag gets encoded.

What I am trying to do is:

$elements['my_elem_' . $id] = array(
                    'type' => 'checkbox',
                    'title' => 'any localized text by get_string' . '<a href="´http://target.tld">Desc</a>',
                );

What I assume is:

'any localized text Desc' | where >>Desc<< is a hyperlink.

What I actually get is:

'any localized text <a href="target.tld">Desc</a>'

 

Looking into the HTML-"source code" all special characters like < are encoded to &lt; and so on. I didn't do any research on how pieform processes the "input" but may it be that all stuff runs through the HTML-Purifier to prevent the system being XSS-ed / defaced?

Is there any way to pass my link trough the pieform to my site anyway so that the link would be accessibl?

Some would raise their hand and say just put the link in the tpl file, yes would be possible if I only have one item, but that's unfortunately not the case I have around 200 items which will be parsed and being offered to the users.

One solution could be to hand over an array to the template where I just store the URLs in and access it within the loop in the tpl file according to the actual form checkbox. But maybe there is also any way to do it directly via the pieform.

So if thereis any way to do it using pieform please let me know, otherwise I somehow have to try the extra-array-way.

Thanks a lot.

Cheers,

Björn

 

Enrique-Schmidt-Straße
Gregor Anželj's profile picture
Posts: 348

10 February 2012, 12:16 PM

This may work:

$elements['my_elem_' . $id] = array(
                    'type' => 'checkbox',
                    'title' => get_string('localizedstring', 'artefact.yourartefact', '<a href="http://target.tld">', '</a>'),
                );

The above get_string has two additional arguments at the end - the beginning and ending html link tags

'localizedstring' should look as:

$string['localizedstring'] = 'any localized text %sDesc%s';

The %s define where to add first and second additional argument, passed to get_string function.

HTH,
Gregor

anonymous profile picture
Deleted user
Posts: 12

10 February 2012, 12:55 PM

Hi Gregor,

thanks a lot for your post.

Unfortunately it doesn't really get it work.

Still the output on the webpage is plain text:

"<a href="http://target.tld">Desc</a>"

This may result because of the function: Pieform::HSC($text). Where in everything gets encoded...also the title attribut of a form element, as my colleague found out, this gets called in file:

lib/pieforms/pieform/renderers/multicolumntable.php Line100:

$result .= Pieform::hsc($data['settings']['title']);

If this is changed to:

$result .= $data['settings']['title'];

It works out.

I think for now we will use it that way as there shouldn't be any possibillity for the users to enter Form-Titles in any way.

If you guys have any better solution or security remarks, please let me know.

Thanks a lot.

Gregor Anželj's profile picture
Posts: 348

10 February 2012, 3:59 PM

Sorry, forgot about this...

Some time ago, I had the same problem and that's when the core Mahara team built the labelescaped support into Pieforms. You should use it like:

$elements['my_elem_' . $id] = array(
                    'type' => 'checkbox',
                    'title' => get_string('localizedstring', 'artefact.yourartefact', '<a href="http://target.tld">', '</a>'),
                    'labelescaped' => true,
                );

HTH,
Gregor

4 results