HTML 网站上的文本编辑器出现故障
HTML Text Editor Malfunctioning On Website
我的一个博客使用所见即所得的文本编辑器来添加内容。两个多月以来,我一直在使用 TinyMCE 文本编辑器,没有任何问题。今天早些时候,当我 post 在博客上写一篇文章时,我注意到一个奇怪的问题 -
我通过编辑器指定的任何对齐属性都被编辑器作为一个整体忽略,导致它 post 所有内容居中对齐。
更重要的是,显示了我文章中 none 的图像或 link。
每次使用字符 ' 或 " 时,它们前面都有一个 \
仔细观察后发现这就是没有显示图像的原因。每个指定的 link 都会在 post 上自动修改如下 -
原版link
https://fbcdn-sphotos-e-a.akamaihd.net/hphotos-ak-xtf1/v/t1.0-9/11986487_415295328664449_5126694793652411223_n.jpg?oh=2e74053db8bc3b2199d83bf70e20bb66&oe=56D18294&__gda__=1456294351_feed673783e94a2b2581dc30cb848aa9
已修改link
\"\"https:/fbcdn-sphotos-e-a.akamaihd.net/hphotos-ak-xtf1/v/t1.0-9/11986487_415295328664449_5126694793652411223_n.jpg?oh=2e74053db8bc3b2199d83bf70e20bb66&oe=56D18294&__gda__=1456294351_feed673783e94a2b2581dc30cb848aa9\"\" alt=\"\"
我尝试将我的文本编辑器更改为 CKEditor 的文本编辑器,但无济于事。负责添加文章的代码似乎没有缺陷,我非常困惑。看起来像这样 -
<!DOCTYPE html>
<html>
<head><!-- CDN hosted by Cachefly -->
<a href='login_editor.php'>BACK</a>
<a href='index.php'>SITE HOME </a>
<title>Create an Article </title>
<script src="tinymce/tinymce.min.js"></script>
<script src="ckeditor/ckeditor.js"></script>
<script>tinymce.init({selector:'#content,#summary',
plugins: [
"advlist autolink lists link image charmap print preview anchor",
"searchreplace visualblocks code fullscreen",
"insertdatetime media table contextmenu paste"
],
toolbar: "insertfile undo redo | styleselect | bold italic | alignleft aligncenter alignright alignjustify | bullist numlist outdent indent | link image"
});</script>
</head>
<body background='hsw.jpg'>
<center>
<?php
require 'database.php';
session_start();
echo $_SESSION['eid'];
if(!isset($_SESSION['email']))
echo "<script>window.location='login_editor.php'</script>";
$a = $_SESSION['eid'];
if($_SESSION['eid']==null)
echo "<script>window.location='login_editor.php'</script>";
if(isset($_POST['add']))
{
$email = $_SESSION['email'];
$eid=$_SESSION['eid'];
echo $eid;
$title = $_POST['titleofarticle'];
$titleimage=$_POST['titleimage'];
$titleimage = "<img src='".$titleimage."'>";
$summary = $_POST['summary'];
$article = $_POST['content'];
$pdo = Database::connect();
echo $eid;
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO editorials (eid,title,titleimage,summary,content) values(?, ?, ?, ?, ?)";
$q = $pdo->prepare($sql);
$q->execute(array($eid,$title,$titleimage,$summary,$article));
Database::disconnect();
echo "Article Submitted! Reloading this page in 5 sec.<script>setTimeout(function(){
window.location='login_editor.php';
}, 5000);</script>";
}
else
{
?>
<form method="post" action="<?php $_PHP_SELF ?>">
<h3><font face="Small Fonts">Article Title</h3> <br>
<input name="titleofarticle" type="text" id="titleofarticle" required size="100"><br><br>
<h3><font face="Small Fonts">Article Title Image</h3> <br>
<input name="titleimage" type="text" id="titleimage" placeholder="Image URL" required size="100"> <br><br>
<h3><font face="Small Fonts">Article Description - Appears Below The Title Image </h3> <br>
<textarea name="summary" id="summary" rows="10" cols="80"></textarea><br>
<script>
// Replace the <textarea id="editor1"> with a CKEditor
// instance, using default configuration.
CKEDITOR.replace( 'summary' );
</script>
<h3><font face="Small Fonts">Article Content</h3> <br>
<textarea name="content" id="content" rows="10" cols="80"></textarea>
<script>
// Replace the <textarea id="editor1"> with a CKEditor
// instance, using default configuration.
CKEDITOR.replace( 'content' );
</script>
<input name="add" type="submit" id="add" value="Submit">
</form>
<?php
}
?>
<hr><br>
<a href='logout_editor.php'> LOGOUT </a>
</body>
</html>
即使我尝试更新现有文章也会出现同样的问题,使曾经完美的旧文章变得更糟。更新文章的代码显示为 -
<?php
session_start();
if(!isset($_SESSION['email']))
echo "<script>window.location='login_editor.php'</script>";
$id=$_GET['id'];
$eid=$_GET['eid'];
if($_SESSION['eid']!=$eid)
echo "<script>window.location='login_editor.php'</script>";
require 'database.php';
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT * FROM editorials where id = ?";
$q = $pdo->prepare($sql);
$q->execute(array($id));
$data = $q->fetch(PDO::FETCH_ASSOC);
$checkeid = $data['eid'];
if($_SESSION['eid']!=$checkeid)
echo "<script>window.location='login_editor.php'</script>";
Database::disconnect();
?>
<?php
if ( !empty($_POST)) {
// keep track post values
$title = $_POST['title'];
$titleimage_a = $_POST['titleimagelink'];
$titleimage= "<img src='".$titleimage_a."'>";
$summary = $_POST['summary'];
$content = $_POST['content'];
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "UPDATE editorials set title = ?,titleimage = ?, summary = ?, content = ? WHERE id = ? AND eid=?";
$q = $pdo->prepare($sql);
$q->execute(array($title,$titleimage,$summary,$content,$id,$eid));
Database::disconnect();
header("Location: login_editor.php");
}
else {
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT * FROM editorials where id = ?";
$q = $pdo->prepare($sql);
$q->execute(array($id));
$data = $q->fetch(PDO::FETCH_ASSOC);
$title = $data['title'];
$titleimage = $data['titleimage'];
$titleimagelink_temp=substr($titleimage,10);
$titleimagelink=substr($titleimagelink_temp,0,-2);
$summary = $data['summary'];
$content = $data['content'];
Database::disconnect();
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<link rel="shortcut icon" type="image/x-icon" href="1442008266.ico">
<title>Update</title>
<meta charset="utf-8">
<script src="js/jquery.js"></script>
<link href="css/bootstrap.min.css" rel="stylesheet">
<script src="js/bootstrap.min.js"></script>
<script type="text/javascript" src="http://tinymce.cachefly.net/4.2/tinymce.min.js"></script>
<script src="ckeditor/ckeditor.js"></script>
<script type="text/javascript">
tinymce.init({
selector: "#content,#summary",
plugins: [
"advlist autolink lists link image charmap print preview anchor",
"searchreplace visualblocks code fullscreen",
"insertdatetime media table contextmenu paste"
],
toolbar: "insertfile undo redo | styleselect | bold italic | alignleft aligncenter alignright alignjustify | bullist numlist outdent indent | link image"
});
</script>
</head>
<body background='hsw.jpg'>
<div class="container">
<div class="span10 offset1">
<div class="row">
<h3>Update Article</h3>
</div>
<form class="form-horizontal" action="editorupdate.php?id=<?php echo $id?>&eid=<?php echo $eid?>" method="post">
<div class="control-group">
<label class="control-label">Title :</label>
<div class="controls">
<input name="title" type="text" value="<?php echo $title?>" size="100">
</div>
</div>
<div class="control-group">
<label class="control-label">Title Image:</label>
<div class="controls">
<input name="titleimagelink" type="text" value="<?php echo $titleimagelink?>" size="100">
</div>
</div>
<div class="control-group">
<label class="control-label">Summary :</label>
<div class="controls">
<textarea name="summary" id="summary"><?php echo $summary?>
</textarea>
<script>
// Replace the <textarea id="editor1"> with a CKEditor
// instance, using default configuration.
CKEDITOR.replace( 'summary' );
</script>
</div>
</div>
<div class="control-group">
<label class="control-label">Content :</label>
<div class="controls">
<textarea name="content" id="content"><?php echo $content?>
</textarea>
<script>
// Replace the <textarea id="editor1"> with a CKEditor
// instance, using default configuration.
CKEDITOR.replace( 'content' );
</script>
</div>
</div>
<div class="form-actions">
<button type="submit" class="btn btn-success">Update</button>
<a class="btn" href="login_editor.php">Back</a>
</div>
</form>
</div>
</div> <!-- /container -->
</body>
</html>
因此,一篇文章应该显示为 -
显示为 -
我已经筋疲力尽地试图找出原因。恢复到较旧的备份,使用 Google 工具扫描我的网站以查找恶意软件,但无济于事。虽然我的域名托管服务商确实说他们在某处检测到恶意代码并建议我尝试使用 200 美元的工具来清除恶意软件。在我抱怨了一下之后,另一个技术。支持代表调查了这个问题并有话要说 -
这似乎不相关。这可能是什么原因造成的?
我很惊讶这完全有效:看起来好像有人降级了您的服务器/激活了 magic quotes,但是:
- 您将未经验证的内容存储在数据库中,然后将其输出到 html,甚至没有使用
htmlspecialchars 之类的东西来确保您 html 不会中断;
- 当您已经将内容输出到浏览器时,您尝试启动会话。
但你最大的问题是你的脚本非常不安全:你在检查会话时使用 javascript 重定向,例如:
if($_SESSION['eid']==null)
echo "<script>window.location='login_editor.php'</script>";
这意味着您的整个脚本在浏览器中的重定向发生之前在服务器上执行.
所以任何人都可以修改和添加文章,根本不需要身份验证。
您应该在脚本的最顶部检查有效会话,然后使用 header 重定向和 exit; 以确保在未找到有效用户时不会执行任何操作。
我的一个博客使用所见即所得的文本编辑器来添加内容。两个多月以来,我一直在使用 TinyMCE 文本编辑器,没有任何问题。今天早些时候,当我 post 在博客上写一篇文章时,我注意到一个奇怪的问题 -
我通过编辑器指定的任何对齐属性都被编辑器作为一个整体忽略,导致它 post 所有内容居中对齐。
更重要的是,显示了我文章中 none 的图像或 link。
每次使用字符 ' 或 " 时,它们前面都有一个 \
仔细观察后发现这就是没有显示图像的原因。每个指定的 link 都会在 post 上自动修改如下 -
原版link
https://fbcdn-sphotos-e-a.akamaihd.net/hphotos-ak-xtf1/v/t1.0-9/11986487_415295328664449_5126694793652411223_n.jpg?oh=2e74053db8bc3b2199d83bf70e20bb66&oe=56D18294&__gda__=1456294351_feed673783e94a2b2581dc30cb848aa9
已修改link
\"\"https:/fbcdn-sphotos-e-a.akamaihd.net/hphotos-ak-xtf1/v/t1.0-9/11986487_415295328664449_5126694793652411223_n.jpg?oh=2e74053db8bc3b2199d83bf70e20bb66&oe=56D18294&__gda__=1456294351_feed673783e94a2b2581dc30cb848aa9\"\" alt=\"\"
我尝试将我的文本编辑器更改为 CKEditor 的文本编辑器,但无济于事。负责添加文章的代码似乎没有缺陷,我非常困惑。看起来像这样 -
<!DOCTYPE html>
<html>
<head><!-- CDN hosted by Cachefly -->
<a href='login_editor.php'>BACK</a>
<a href='index.php'>SITE HOME </a>
<title>Create an Article </title>
<script src="tinymce/tinymce.min.js"></script>
<script src="ckeditor/ckeditor.js"></script>
<script>tinymce.init({selector:'#content,#summary',
plugins: [
"advlist autolink lists link image charmap print preview anchor",
"searchreplace visualblocks code fullscreen",
"insertdatetime media table contextmenu paste"
],
toolbar: "insertfile undo redo | styleselect | bold italic | alignleft aligncenter alignright alignjustify | bullist numlist outdent indent | link image"
});</script>
</head>
<body background='hsw.jpg'>
<center>
<?php
require 'database.php';
session_start();
echo $_SESSION['eid'];
if(!isset($_SESSION['email']))
echo "<script>window.location='login_editor.php'</script>";
$a = $_SESSION['eid'];
if($_SESSION['eid']==null)
echo "<script>window.location='login_editor.php'</script>";
if(isset($_POST['add']))
{
$email = $_SESSION['email'];
$eid=$_SESSION['eid'];
echo $eid;
$title = $_POST['titleofarticle'];
$titleimage=$_POST['titleimage'];
$titleimage = "<img src='".$titleimage."'>";
$summary = $_POST['summary'];
$article = $_POST['content'];
$pdo = Database::connect();
echo $eid;
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO editorials (eid,title,titleimage,summary,content) values(?, ?, ?, ?, ?)";
$q = $pdo->prepare($sql);
$q->execute(array($eid,$title,$titleimage,$summary,$article));
Database::disconnect();
echo "Article Submitted! Reloading this page in 5 sec.<script>setTimeout(function(){
window.location='login_editor.php';
}, 5000);</script>";
}
else
{
?>
<form method="post" action="<?php $_PHP_SELF ?>">
<h3><font face="Small Fonts">Article Title</h3> <br>
<input name="titleofarticle" type="text" id="titleofarticle" required size="100"><br><br>
<h3><font face="Small Fonts">Article Title Image</h3> <br>
<input name="titleimage" type="text" id="titleimage" placeholder="Image URL" required size="100"> <br><br>
<h3><font face="Small Fonts">Article Description - Appears Below The Title Image </h3> <br>
<textarea name="summary" id="summary" rows="10" cols="80"></textarea><br>
<script>
// Replace the <textarea id="editor1"> with a CKEditor
// instance, using default configuration.
CKEDITOR.replace( 'summary' );
</script>
<h3><font face="Small Fonts">Article Content</h3> <br>
<textarea name="content" id="content" rows="10" cols="80"></textarea>
<script>
// Replace the <textarea id="editor1"> with a CKEditor
// instance, using default configuration.
CKEDITOR.replace( 'content' );
</script>
<input name="add" type="submit" id="add" value="Submit">
</form>
<?php
}
?>
<hr><br>
<a href='logout_editor.php'> LOGOUT </a>
</body>
</html>
即使我尝试更新现有文章也会出现同样的问题,使曾经完美的旧文章变得更糟。更新文章的代码显示为 -
<?php
session_start();
if(!isset($_SESSION['email']))
echo "<script>window.location='login_editor.php'</script>";
$id=$_GET['id'];
$eid=$_GET['eid'];
if($_SESSION['eid']!=$eid)
echo "<script>window.location='login_editor.php'</script>";
require 'database.php';
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT * FROM editorials where id = ?";
$q = $pdo->prepare($sql);
$q->execute(array($id));
$data = $q->fetch(PDO::FETCH_ASSOC);
$checkeid = $data['eid'];
if($_SESSION['eid']!=$checkeid)
echo "<script>window.location='login_editor.php'</script>";
Database::disconnect();
?>
<?php
if ( !empty($_POST)) {
// keep track post values
$title = $_POST['title'];
$titleimage_a = $_POST['titleimagelink'];
$titleimage= "<img src='".$titleimage_a."'>";
$summary = $_POST['summary'];
$content = $_POST['content'];
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "UPDATE editorials set title = ?,titleimage = ?, summary = ?, content = ? WHERE id = ? AND eid=?";
$q = $pdo->prepare($sql);
$q->execute(array($title,$titleimage,$summary,$content,$id,$eid));
Database::disconnect();
header("Location: login_editor.php");
}
else {
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT * FROM editorials where id = ?";
$q = $pdo->prepare($sql);
$q->execute(array($id));
$data = $q->fetch(PDO::FETCH_ASSOC);
$title = $data['title'];
$titleimage = $data['titleimage'];
$titleimagelink_temp=substr($titleimage,10);
$titleimagelink=substr($titleimagelink_temp,0,-2);
$summary = $data['summary'];
$content = $data['content'];
Database::disconnect();
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<link rel="shortcut icon" type="image/x-icon" href="1442008266.ico">
<title>Update</title>
<meta charset="utf-8">
<script src="js/jquery.js"></script>
<link href="css/bootstrap.min.css" rel="stylesheet">
<script src="js/bootstrap.min.js"></script>
<script type="text/javascript" src="http://tinymce.cachefly.net/4.2/tinymce.min.js"></script>
<script src="ckeditor/ckeditor.js"></script>
<script type="text/javascript">
tinymce.init({
selector: "#content,#summary",
plugins: [
"advlist autolink lists link image charmap print preview anchor",
"searchreplace visualblocks code fullscreen",
"insertdatetime media table contextmenu paste"
],
toolbar: "insertfile undo redo | styleselect | bold italic | alignleft aligncenter alignright alignjustify | bullist numlist outdent indent | link image"
});
</script>
</head>
<body background='hsw.jpg'>
<div class="container">
<div class="span10 offset1">
<div class="row">
<h3>Update Article</h3>
</div>
<form class="form-horizontal" action="editorupdate.php?id=<?php echo $id?>&eid=<?php echo $eid?>" method="post">
<div class="control-group">
<label class="control-label">Title :</label>
<div class="controls">
<input name="title" type="text" value="<?php echo $title?>" size="100">
</div>
</div>
<div class="control-group">
<label class="control-label">Title Image:</label>
<div class="controls">
<input name="titleimagelink" type="text" value="<?php echo $titleimagelink?>" size="100">
</div>
</div>
<div class="control-group">
<label class="control-label">Summary :</label>
<div class="controls">
<textarea name="summary" id="summary"><?php echo $summary?>
</textarea>
<script>
// Replace the <textarea id="editor1"> with a CKEditor
// instance, using default configuration.
CKEDITOR.replace( 'summary' );
</script>
</div>
</div>
<div class="control-group">
<label class="control-label">Content :</label>
<div class="controls">
<textarea name="content" id="content"><?php echo $content?>
</textarea>
<script>
// Replace the <textarea id="editor1"> with a CKEditor
// instance, using default configuration.
CKEDITOR.replace( 'content' );
</script>
</div>
</div>
<div class="form-actions">
<button type="submit" class="btn btn-success">Update</button>
<a class="btn" href="login_editor.php">Back</a>
</div>
</form>
</div>
</div> <!-- /container -->
</body>
</html>
因此,一篇文章应该显示为 -
显示为 -
我已经筋疲力尽地试图找出原因。恢复到较旧的备份,使用 Google 工具扫描我的网站以查找恶意软件,但无济于事。虽然我的域名托管服务商确实说他们在某处检测到恶意代码并建议我尝试使用 200 美元的工具来清除恶意软件。在我抱怨了一下之后,另一个技术。支持代表调查了这个问题并有话要说 -
这似乎不相关。这可能是什么原因造成的?
我很惊讶这完全有效:看起来好像有人降级了您的服务器/激活了 magic quotes,但是:
- 您将未经验证的内容存储在数据库中,然后将其输出到 html,甚至没有使用
htmlspecialchars之类的东西来确保您 html 不会中断; - 当您已经将内容输出到浏览器时,您尝试启动会话。
但你最大的问题是你的脚本非常不安全:你在检查会话时使用 javascript 重定向,例如:
if($_SESSION['eid']==null)
echo "<script>window.location='login_editor.php'</script>";
这意味着您的整个脚本在浏览器中的重定向发生之前在服务器上执行.
所以任何人都可以修改和添加文章,根本不需要身份验证。
您应该在脚本的最顶部检查有效会话,然后使用 header 重定向和 exit; 以确保在未找到有效用户时不会执行任何操作。