Using HTML inside lang files

Something REALLY odd happening

I don't know what's happening – whatever it is it seems to be intermittent.

I've got some custom lang files containing strings that define URLs and text formatting using HTML. When referencing the lang file and string in a Comcode page, sometimes the HTML is shown as text and other times it parses accurately.

I thought there was something wrong with my custom lang file, so I tried to reproduce the error with global.ini.

{!TUTORIAL_ON_THIS} has got some HTML in it, and when referenced on a Comcode page, the same result is given – sometimes it parses the HTML and sometimes it doesn't.

When it seems to work, I'll remove {!TUTORIAL_ON_THIS}, save the page, then edit and put it back on, and it displays as text again.

I also tried creating a test page that only contained a referenced language string, and same results occurred – so it doesn't have anything to do with interference with other content on the page.

I also thought maybe I was missing some HTML or forgot to close a tag in my themes template files causing errors but the standards checker doesn't show any major errors or missing tags so that shouldn't have any impact on this issue.

I'm out of ideas. Composr is trying to make me look crazy  

Edit: tried using a different browser too. I did a recent update on Firefox but Chrome and IE are both doing it as well, so it's not browser specific.

I am no expert, but maybe try There is a tutorial which covers this feature.

*shrugs*

Thanks KingBast.

I think, but not sure, that using an asterisk just strips any formatting, including HTML. So it would just render as text anyway.

I'll give it a try later though. I'm not near my computer atm.

Composr Tutorial: Tempcode programming - Composr said

Escaping

Any of the above 4 Tempcode constructs may be escaped. By "escaped", I mean made to fit in an encoding scheme, such as HTML or URLs, such that special text characters do not interact with that encoding scheme in an insecure/corrupting way). This is done with ease using escaping filters, just by placing the character associated with the mode of escaping before the closing '}'. For example, {BLAH*} will add the parameter BLAH, escaped for HTML output.

Not sure, but I'm not reading anything about stripping the HTML there. Worth a try :)

I suspect if you remove this line from sources/global3.php it will remove the auto-escaping behaviour:

Composr will automatically escape stuff if custom PHP files are present and no declaration is in those custom files that the programmer understands how to avoid XSS vulnerabilities. I don't think it is supposed to affect language strings inside a Comcode page though.
I'll try and reproduce and resolve this properly, but it might be quite hard for me to do so.
If you can provide me access to test on your site that might help (including being able to save code changes, e.g. FTP). Or a backup of your site I can test with.

KingBast said

Composr Tutorial: Tempcode programming - Composr said

Escaping

Any of the above 4 Tempcode constructs may be escaped. By "escaped", I mean made to fit in an encoding scheme, such as HTML or URLs, such that special text characters do not interact with that encoding scheme in an insecure/corrupting way). This is done with ease using escaping filters, just by placing the character associated with the mode of escaping before the closing '}'. For example, {BLAH*} will add the parameter BLAH, escaped for HTML output.

Not sure, but I'm not reading anything about stripping the HTML there. Worth a try :)

From “Post #3,857”, 29th January 2018, 12:31 pm

Thanks KingBast, you're right, and now it is working properly. I guess I misunderstood the use of asterisks.

It's just funny how it was intermittent, and in other areas of my site I reference custom lang strings with HTML and they seem to work fine without the need to use an asterisk.

Oh well, thanks again for the replies.

I certainly wasn't talking from experience of having the same issue and solving it this way, but glad it worked out

I tried but was not able to reproduce this. It would likely depend on exactly what code files were overridden in a Composr installation, or how custom blocks may be included.
If some code file where the declarations are managed is overridden that may confuse the system for example and it might not be able to properly trace whether it should or shouldn't be doing the automatic escaping for the part of the system running – but I'm just guessing.

I appreciate how it would be very confusing. At the same time, the vast majority of programmers writing custom code have no idea how to avoid making XSS vulnerabilities and will make their site wide open to them, hence wide open to being completely hacked. Hence the automatic escaping on custom code if no declaration of understand them is made. Of course ideally it wouldn't behaviour unexpectedly like it is here. XSS is a huge problem on websites and probably the majority of websites actually have multiple XSS security holes.

From the next patch release the automatic escaping will be disableable with this Commandr command:

I highly advise anyone doing any custom programming, especially outputting URL parameters into pages, to think carefully about XSS. Simply doing doing some Tempcode like this would open an XSS hole (and actually I checked and our filter can't actually protect against it unfortunately):
This is because a hacker can do a URL like:
and it would run on whoever's machine clicked that link. Obviously more malicious JS would be used than that.

So anyway, we'll provide an official way to disable our XSS escaping as above, but I encourage people to think about the issue.

So Chris, by adding an asterisk inside the tempcode, you said this makes it safer? Like using {$_GET*} Instead of {$_GET}?

Yes.

You need to think about it as translation between formats.

$_GET will get it as raw plain text.

But you're putting it into HTML.

HTML is not plain text. It interprets code, such as HTML tags.

So you need to 'escape' it to make it embed within the HTML as text.

It does stuff like change < to &lt.