Support » Plugin: Simple Ajax Chat » HTML Escaping & multiple updates

  • Resolved ryan_the_leach


    I was surprised to find that with this plugin that all the html is being escaped before it is entered into the database, I did some looking around and it seems best practice is that you should be escaping the html when you output the message to the page.

    The only reason I ask, is that I have been hooking this chat up to an external service by writing to the database, and it surprised me, I can work around it, but If you ever need to output the data to another format, it can get a little hairy.

    Additionally I have noticed, If I add multiple entries into the database, only the latest one is added live, it takes a page refresh in order for the others to show up, is this intentional or is there some other catch that I am missing?

Viewing 4 replies - 1 through 4 (of 4 total)
  • As for the backslash on ‘ issue you should probably be stripping the slashes as it is legacy from PHP magic quotes, and from what I understand, wordpress continues this as it has been taken for granted in plugins, and wordpress core.

    However if you are doing your database queries correctly (which I suspect you are as the backslashes are being stored in the database) you should be protected from sql injection anyway from wordpress.

    Plugin Author Jeff Starr


    I’ve added the encoding issue to the to-do list and will get that sorted next update.

    Not sure about the latest/live chat messages thing, but I’ll take a look at that as well. Just to be clear, and for the sake of anyone else reading, all chat messages entered via the front-end chatbox are added/displayed quickly via Ajax. As opposed to what I think you’re asking in your question, which refers to adding new chat messages not thru the chatbox window, but rather adding via the settings or directly to the database.

    For the backslashes, yes that is also on the list.

    Thanks for taking the time to provide useful feedback.

    Thanks for the reply Jeff, that’s exactly what I am talking about on all 3 points.

    Plugin Author Jeff Starr


    Update: new version of Simple Ajax Chat (20140923) fixes the character-encoding, single-quote, and backslash issues, also a big improvement in terms of data output and sanitization:

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘HTML Escaping & multiple updates’ is closed to new replies.