POSTing XML via HTML Forms

views:

222

answers:

+2 Q:

POSTing XML via HTML Forms

Hi! I am developing a Web and want that the user could create some stuff POSTing xml data. For that propose there is a < textarea > where the user can write (copy/paste) xml and submit it. The problem is that I am loosing data, characters such as '<','>' and i think others too get lost.

Maybe it is a framework problem, not sure, I am using Elgg and receiving the data witg get_input().

Thanks for your time!

UPDATE1: some code answering the comment

<form method="POST" action="http://for.bar/slash" enctype="text/xml">
<input name="add" type="submit" value="Create"  />
</form>

to receive the data i use the elgg get_input()

$data = get_input('data');

+1 A:

If i where to make a wild guess I'd say that there is some kind of auto-magical xss protection being used by get_input(). You could try doing a print_r($_POST); or perhaps elgg is "sanitizing" all of $_POST as well. In this case you may have to base64 encode the data with JavaScript before submitting the request.

Rook 2010-02-24 23:30:28

You was right! Thx a lot. The get_input() function has a $filter_result = true parameter.

conradsteink 2010-02-24 23:47:42

+1. Yeah, this results in the input being manged by `htmlawed_filter_tags`, which tries to make the input HTML whether it was supposed to be HTML or not. XSS “protection” at the input stage is **always the wrong thing**, and this is a particularly bad example of it. I strongly question the competence of the developers of this package.

bobince 2010-02-25 00:37:00

That is a nasty "feature" that is all too common. I agree that it is the wrong place for an xss filter. I am glad I can help!

Rook 2010-02-25 02:56:15

ansaurus

tags:

views:

answers:

POSTing XML via HTML Forms

related questions