[SOLVED] html tags

[gazever]

Quick question,

 

I have some forms within my website, as always I test for validity of input, when testing certain stuff if I put in html tags, i.e.

 

<h1>Heading Here</h1>

 

and then post it, for some reason the post doesn't go to the script that should receive it, it just goes straight to my root index page, is this some sort of configuration setting, or does anyone know why this happens,

 

Thanks

 

Gaz

[rajivgonsalves]

some code with your <form> tag would help

[gazever]

Heres the form

 

<div class="enquiry_form">

<h3>Send us an enquiry</h3>

<form action="../enquiry_sender.php" method="post"/>

<p>Please fill out your enquiry below</p>

<textarea name="enquiry" rows="6" style='width:680px;'></textarea>

<p><input type="Submit" value="Send Enquiry"/></p>

</form>

</div>

 

 

<> post fine

 

but </> refer me back to root index

 

is there some sort of tags posting configuration somewhere?

[premiso]

<form action="enquiry_sender.php" method="post">

 

Try that

 

the ../ goes up one directory.

[rajivgonsalves]

where is enquiry_sender.php located and are you running the script from your Apache Root directory ?

[gazever]

the script is running from

 

root/account-area

 

the enquiry_sender is in the root, hence the ../

and the form resides in account-area

 

I have also installed php list on my website too, however when trying to use this to make html emails, it does exactly the same thing when the html is posted, so I am guessing it is some sort of configuration issue,

 

is there an configuration setting somewhere that says when tags are posted, break,  goto root index?

 

I am using a shared hosting account, and don't really know anything about configuration setup etc.

[rajivgonsalves]

so your form tag should be as follows

 

<form action="/enquiry_sender.php" method="post">

 

hope its helpfull

 

Cheer!

Wizzkid

[gazever]

Yeah that still posts to the correct page, up one level,

 

If I try posting

 

</>

 

it still sends straight back to the main index page

[gazever]

No sorry I need the ../

[rajivgonsalves]

can you give me the url of your site so I can studie the behaviour

[premiso]

Can the general public access the root. That seems to be the problem, is that normal people can only hit account-area.

 

Usually stuff above that level is locked to general public and only available for internal viewing/processing. Moving that file up a level will work.

[gazever]

I have everything within a test folder at the moment, which I have set a password protect on to stop bots etc crawling my pages before it is ready to go live, I shall try moving the enquiry sender to the top level domain outside the protected area,

 

thanks,

 

this may be the issue

[gazever]

No Joy,

 

Ok I've split the elements up and put them you you can have a look at them,

 

the form is at

http://www.debbiesvillas.co.uk/form.php

 

the enquiry sender is at

http://www.debbiesvillas.co.uk/enquiry_sender.php

 

enquiry sender code is

 

<?php 
echo "<pre>";
echo "<hr />";
print_r($_POST);
echo "</pre>";

?>

 

[premiso]

Tested and works on Firefox...

 

As a side note this may be screwing you up:

 

<form action="enquiry_sender.php" method="post"/>

should be

<form action="enquiry_sender.php" method="post">

 

The ending slash may be killing the form prematurely as that is not proper HTML and IE may interpret that where as firefox does not.

[gazever]

I use firefox to test everything,

 

did you try posting the following

 

</>

 

this here screws it up and send it to the index, other stuff seems to post fine

[gazever]

changed the end /> to >

 

[premiso]

Ah so the problem is that when a user INPUTS </ > it redirects them to a page they should not goto.

 

That is very weird, I am not sure what or why that would be doing that...

 

 

Try adding die(); at the end of the enquiry file...see if that helps?

[gazever]

Yeah that is the problem,

 

very weird behaviour, I have tested it without

 

print_r($_post)

 

thinking this may be the problem, but no, it still doesn't just stick to this page without that,

[premiso]

Something to try, is see if magic quote are on. I would also contact your webserver and see what they say.

 

It seems like it is a core issue in the php.ini or maybe even in the webserver (apache or IIS).

[gazever]

code is now,

 

<?php
echo "<pre>";
echo "<hr />";
print_r($_POST);
echo "</pre>";
die();

?>

 

Still same problem, it's as if its never even going to the enquiry_sender when there are tags input

[gazever]

magic quotes are on, the following enquiry

 

dsfsdf'dsfsdf

 

outputs

 

 

Array
(
    [enquiry] => dsfsdf\'dsfsdf
)

 

Is this the issue do you think?

[premiso]

magic quotes are on, the following enquiry

 

dsfsdf'dsfsdf

 

outputs

 

 

Array
(
    [enquiry] => dsfsdf\'dsfsdf
)

 

Is this the issue do you think?

 

I dunno, I have never seen this error, and I cannot reproduce it on any of my servers. I would look at your php.ini config (phpinfo())  and look for anything that might cause issues. Other than that, contact your hosting company and ask what the heck.

[gazever]

spoke to hosting account, there reply

 

Victor: Yes,  that is due to security rules implemented on server. Here are the logs for the same.

 

mod_security: Access denied with redirect to [/]. Pattern match "<(.|\\\\n)+>" at POST_PAYLOAD [id "XSS_Check"] [severity "EMERGENCY"] [hostname "www.debbiesvillas.co.uk "] [uri "/enquiry_sender.php"],

 

thanks all for the input

[premiso]

A suggestion to avoid that happening, is do a check with Javascript for < > or </ >  and unlimited spaces. If that is present throw an alert and halt the page from processing.

 

Kinda sucks that the host did that, but it is understandable due to xss reasons. You could even use javascript to convert <  to its html counter part < and >  which would allow that to be processed without the user knowing what happened.

[gazever]

Yeah,

 

But I guess not everyone of there users check input before doing stuff with it, so guess its a failsafe,

I may see if I can get them to remove this restriction, was just so baffled by the behaviour, glad I now have an answer.

 

Thanks Again