hashtopolis/server

[BUG]: Encoding error in the database or API

Closed this issue · 2 comments

Aufgefallen beim Name einer Superhashlist

Web-UI
Image

Database
Image

Root cause of this problem is the usage of htmlentities() function on the backend before writing the data to the database. I see two solutions at the moment:

  • Use html_entity_decode() before converting the database content to JSON (the wrongly encoded strings will still be in the database, but will be converted before passing them to the frontend)
  • Use htmlspecialchars() and/or strip_tags() before writing the data to the database. This removes all potentially risky elements such as HTML tags or quotation marks from the data.

There are several problems:

  • To remain compatible with the old PHP UI we must save the strings with HTML encoding to the database
  • There is a duplicated usage of htmlentities(), the first is in json2db() in AbstractBaseAPI.class.php, the second one in the DB object creation, e.g. HashlistUtils::createHashlist(). That is okay for german characters like ä, ö, ß, but it fails with french accents.
  • When converting the DB objects to JSON, html_entity_decode is missing.

Proposed solution:

  • Remove htmlentities() from DB object creation
  • Apply html_entitiy_decode() before dumping values to JSON.