Summary box problems

[bopper]

If double quotes are entered in the Summary box when making reservations, the calendar will not show the reservation properely. The reservation link appears with mangled javascript and doesn't function. No javascript pop-up appears either (for obvious reasons).

Similar problem with \ being interpreted inside the Summary.  Have to escape them to have them appear. A \\ will appear as a single \.  If you then edit a reservation, a single \ appears.   Then on saving it will disappear because it is not escaped.

The Summary text box needs to take text literally.  This could also be a SQL injection security hole.

[bopper]

Replying to my own question, the solution is to use the php function

  htmlentities()

to encode the textarea before insertion into the database.  If necessary, the function

  html_entity_decode()

can be used to return the string to the original form.

Version 1.2.4, please?

[Nick]

Sounds like a bug.  Since this is such a small change I'll probably just post the change here for the immediate future.

[bopper]

Sounds like a bug.  Since this is such a small change I'll probably just post the change here for the immediate future.

Unfortunately I tried the htmlentities() function in place of stripslashes() in reserve.php

$res->summary   = stripslashes($_POST['summary']);

but it didn't seem to work for me.  I would say that the summary text should be encoded into HTML entities and stored that way in the database, then converted back after its read from the database.

The reason I'm asking about this is because I want users to be able to put in windows style paths into the summary box, like

c:\tmp\stuff.txt

without having to escape the "\" with "\\", like

c:\\tmp\\stuff.txt

which then disappears after editing the reservation unless they are manually escaped again.  A minor anoyance, but I thought the fix should be an easy one. The use of double quotes in the summary box is more serious because that breaks the javascript and link in the calendar.

Thanks in advance.