WordPress.org

Ready to get started?Download WordPress

Forums

Simple Ajax Chat
[resolved] HTML Escaping & multiple updates (5 posts)

  1. ryan_the_leach
    Member
    Posted 1 year ago #

    I was surprised to find that with this plugin that all the html is being escaped before it is entered into the database, I did some looking around and it seems best practice is that you should be escaping the html when you output the message to the page.

    The only reason I ask, is that I have been hooking this chat up to an external service by writing to the database, and it surprised me, I can work around it, but If you ever need to output the data to another format, it can get a little hairy.

    Additionally I have noticed, If I add multiple entries into the database, only the latest one is added live, it takes a page refresh in order for the others to show up, is this intentional or is there some other catch that I am missing?

    https://wordpress.org/plugins/simple-ajax-chat/

  2. ryan_the_leach
    Member
    Posted 1 year ago #

    As for the backslash on ' issue you should probably be stripping the slashes as it is legacy from PHP magic quotes, and from what I understand, wordpress continues this as it has been taken for granted in plugins, and wordpress core.

    However if you are doing your database queries correctly (which I suspect you are as the backslashes are being stored in the database) you should be protected from sql injection anyway from wordpress.

  3. Jeff Starr
    Member
    Plugin Author

    Posted 1 year ago #

    I've added the encoding issue to the to-do list and will get that sorted next update.

    Not sure about the latest/live chat messages thing, but I'll take a look at that as well. Just to be clear, and for the sake of anyone else reading, all chat messages entered via the front-end chatbox are added/displayed quickly via Ajax. As opposed to what I think you're asking in your question, which refers to adding new chat messages not thru the chatbox window, but rather adding via the settings or directly to the database.

    For the backslashes, yes that is also on the list.

    Thanks for taking the time to provide useful feedback.

  4. ryan_the_leach
    Member
    Posted 1 year ago #

    Thanks for the reply Jeff, that's exactly what I am talking about on all 3 points.

  5. Jeff Starr
    Member
    Plugin Author

    Posted 5 months ago #

    Update: new version of Simple Ajax Chat (20140923) fixes the character-encoding, single-quote, and backslash issues, also a big improvement in terms of data output and sanitization: https://wordpress.org/plugins/simple-ajax-chat/

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.