Embedded Markup - HTML mode wipes out 'name=' in forms coding

elizawire

Joined: 2007-06-11
Posts: 2

Posted: Mon, 2007-06-11 05:54

I'm trying to put in a form and changed to the "Raw HTML" mode but whenever I past in the form code and save it in the photo description, the codes saves intact except that it seems to strip out: name="Whatever Label Name"
This is stripped from the input type line and here is an example of the intact code.
<input type="hidden" name="Qty" value="1">

It's strange because it only strips out the name="?" part of each line and leaves everything else alone? I've tested the code in an HTML page that is intact, and it works fine, so I know this is the only problem. Here's the info on my current setup. If anyone can spot what probably is an obvious error I'm overlooking, please let me know as I'd be very appreciative.

Last Run Details:

Gallery version = 2.2.1 core 1.2.0.1
PHP version = 4.4.4 apache
Webserver = Apache
Database = mysqlt 4.1.21-standard, lock.system=flock
Toolkits = ArchiveUpload, ImageMagick
Acceleration = none, none
Operating system = Linux luke.tchmachines.com 2.6.9-55.ELsmp #1 SMP Wed May 2 14:28:44 EDT 2007 i686
Default theme = matrix
gettext = enabled
Locale = en_US
Browser = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Rows in GalleryAccessMap table = 10
Rows in GalleryAccessSubscriberMap table = 4
Rows in GalleryUser table = 2
Rows in GalleryItem table = 4
Rows in GalleryAlbumItem table = 1
Rows in GalleryCacheMap table = 0

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Mon, 2007-06-11 13:31

you can't use any HTML. for security purposes, G2 filters the HTML.

--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage

elizawire

Joined: 2007-06-11
Posts: 2

Posted: Sun, 2007-06-17 03:23

Thanks for the reply, but why would they give you a "RAW HTML" option? I'm able to make a hyperlink, but this form code just gets the NAME="xxx" stripped out. It does warn about it being unstable, so I guess this is what's meant by that. Maybe I'll have to look for another similar solution that will work. Thanks for your reply, though.

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Sun, 2007-06-17 15:56

> but why would they give you a "RAW HTML" option?

you can use formatting tags, link tags etc. you can't use script, embed, object, form, .. tags.
as i said, for security puroposes.

> It does warn about it being unstable, so I guess this is what's meant by that.

where does it warn about what?
no, this is not an unstable behavior, this is all intended. a small fraction of our users may actually want to use active HTML elements there. the rest is happy that they're protected from XSS and the like.
you can edit the php code to allow for any HTML (just remove the safeHtml filter).

--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage

elizawire Joined: 2007-06-11 Posts: 2	Posted: Mon, 2007-06-11 05:54
	I'm trying to put in a form and changed to the "Raw HTML" mode but whenever I past in the form code and save it in the photo description, the codes saves intact except that it seems to strip out: name="Whatever Label Name" This is stripped from the input type line and here is an example of the intact code. <input type="hidden" name="Qty" value="1"> It's strange because it only strips out the name="?" part of each line and leaves everything else alone? I've tested the code in an HTML page that is intact, and it works fine, so I know this is the only problem. Here's the info on my current setup. If anyone can spot what probably is an obvious error I'm overlooking, please let me know as I'd be very appreciative. Last Run Details: Gallery version = 2.2.1 core 1.2.0.1 PHP version = 4.4.4 apache Webserver = Apache Database = mysqlt 4.1.21-standard, lock.system=flock Toolkits = ArchiveUpload, ImageMagick Acceleration = none, none Operating system = Linux luke.tchmachines.com 2.6.9-55.ELsmp #1 SMP Wed May 2 14:28:44 EDT 2007 i686 Default theme = matrix gettext = enabled Locale = en_US Browser = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4 Rows in GalleryAccessMap table = 10 Rows in GalleryAccessSubscriberMap table = 4 Rows in GalleryUser table = 2 Rows in GalleryItem table = 4 Rows in GalleryAlbumItem table = 1 Rows in GalleryCacheMap table = 0
	XUser login Username: * Password: * Create new account Request new password
valiant Joined: 2003-01-04 Posts: 32509	Posted: Mon, 2007-06-11 13:31
	you can't use any HTML. for security purposes, G2 filters the HTML. -------------- Documentation: Support / Troubleshooting \| Installation, Upgrade, Configuration and Usage

elizawire Joined: 2007-06-11 Posts: 2	Posted: Sun, 2007-06-17 03:23
	Thanks for the reply, but why would they give you a "RAW HTML" option? I'm able to make a hyperlink, but this form code just gets the NAME="xxx" stripped out. It does warn about it being unstable, so I guess this is what's meant by that. Maybe I'll have to look for another similar solution that will work. Thanks for your reply, though.

valiant Joined: 2003-01-04 Posts: 32509	Posted: Sun, 2007-06-17 15:56
	> but why would they give you a "RAW HTML" option? you can use formatting tags, link tags etc. you can't use script, embed, object, form, .. tags. as i said, for security puroposes. > It does warn about it being unstable, so I guess this is what's meant by that. where does it warn about what? no, this is not an unstable behavior, this is all intended. a small fraction of our users may actually want to use active HTML elements there. the rest is happy that they're protected from XSS and the like. you can edit the php code to allow for any HTML (just remove the safeHtml filter). -------------- Documentation: Support / Troubleshooting \| Installation, Upgrade, Configuration and Usage

Embedded Markup - HTML mode wipes out 'name=' in forms coding

XUser login