Hello,

I have been working on implementing safecracker on my site and have run into an issue when trying to save or edit a field that includes some specific html entities. Namely <, >, or &.

It is converting the html characters to their corresponding code. 

Example:

I have looked all through this forum but have not found anything on this issue.

The form saves the data, but it is saving it with the characters changed.  How can I have the characters not altered when the safecracker form is submitted?

When I save or re-edit the entry from inside the EE control panel, all works correctly.  With the html characters remaining in the correct format.

As an example.  If I am trying to save a field containing

from a safecracker form, it is being saved as

  Once again the above doesn’t include the spaces or quotes (so I can show the characters to you).  However, it saves correctly if I edit the entry directly from inside EE.

Any assistance would be appreciated.

Thanks,
Mark

Which type of field is in question? And to confirm: if you do the same thing in the CP it saves properly?

I’ve tried a normal textarea field and a text field inside matrix 2.

And yes you are correct that if I do the same thing in the CP it saves properly.

Oh, and if you need it, I’m running the latest version of EE - Version: 2.1.3 - Build: 20101220

I also have:
The latest version of safecracker: 1.0.2
The latest version of Matrix - 2.1.2
The latest version of Wygwam - 2.1.7

I’ll do some tests and get back to you.

One more question: what field format do you have selected for that field?

I don’t know what you mean by field format.  Do you mean field type?  I have it currently set on textarea, but have also tried matrix with a cell type of text.

If you go to the field settings page for that field, see the attached screenshot:

Oh yes, I have that set to “none”.

OK, it seems to be a problem with CodeIgniter’s native xss filtering, which doesn’t like object elements, among some others. I don’t have a solution for you yet, but I will continue researching this. Please check back in a few days if you don’t hear anything from me.

I definitely will check back. I wasn’t sure if it was related to safecracker or not as it happens with the safecracker form but works fine from inside the CP.

Thanks a lot for your help on this.

Hi Rob,

You mentioned to check back and see if you have located any potential solutions for this issue. 
Have you had any luck?

Hi Rob,

I’m assuming you haven’t as there has been no response, but have you had a chance to look any further into this issue?

Rob is currently at the Hospital… his wife just went into labor. I don’t know if he found anything specific. After he last posted was a weekend and the MLK Monday holiday, so I don’t know that he’s had enough time to sort it out… but I’ll forward this to him and see if he’s gotten anywhere. My guess is… this one’s a bit complicated, so I’d doubt there’s a workaround yet.

First off, congratulations to Rob!  I hope everything went well.

Thanks for the update, I wasn’t aware of the holiday on Monday and didn’t think about the weekend posting.  I was just hoping to get this all figured out.

I’ll check back later.

Hi irecess, I researched this and found that there’s no solution other than either hacking the EE core or hacking the SafeCracker core. I am not comfortable removing the XSS filtering from our procedure, since SafeCracker forms are on the front-end. In the CP, this filtering is not done, which is why this is not a issue there. If you are interested in more info I can tell you which lines of code to change (in either EE or SafeCracker) to make this work.