Taking HTML string from MySQL database and echoing using PHP into Google Maps API

[oliverguy]

I have a MySQL database that contains information that I need to display on a Google Map using the JavaScript API.

 

        <?php foreach($rows as $row): ?>
            var <?php echo htmlentities($row['markername'], ENT_QUOTES, 'UTF-8'); ?>Marker = new google.maps.Marker({
                position: {lat: <?php echo htmlentities($row['lat'], ENT_QUOTES, 'UTF-8'); ?>, lng: <?php echo htmlentities($row['lng'], ENT_QUOTES, 'UTF-8'); ?>},
                map: map,
                title: '<?php echo htmlentities($row['placename'], ENT_QUOTES, 'UTF-8'); ?>',
            });
            var <?php echo htmlentities($row['markername'], ENT_QUOTES, 'UTF-8'); ?>Info = new google.maps.InfoWindow({
                content:'<?php echo htmlentities($row['content'], ENT_QUOTES, ENT_HTML5, 'UTF-8'); ?> ?>'
                });
                google.maps.event.addListener(<?php echo htmlentities($row['markername'], ENT_QUOTES, 'UTF-8'); ?>Marker, 'click', function() {
                <?php echo htmlentities($row['markername'], ENT_QUOTES, 'UTF-8'); ?>Info.open(map,<?php echo htmlentities($row['markername'], ENT_QUOTES, 'UTF-8'); ?>Marker);
            });
        <?php endforeach; ?>

 

All of my code works except for line 8, the content line. This does not work as it should, the content part takes HTML, so this should just echo my HTML string from the DB and it should work. But this isnt happening. If I just set a variable as a HTML string and echo that variable instead of the content row from my DB then it works as it should. 

 

How do I fix this???

[colonel_mortis]

I'm not sure that this is your problem, but there are a few issues with that line:

• When using multiple flags, such as ENT_QUOTES and ENT_HTML5, you need to separate them with | rather than , because otherwise they are just different parameters. | is binary OR, which is used to combine flags (specifically, ENT_QUOTES in binary is 11, while ENT_HTML5 in binary is 10000000, so when ORed together, it gives the binary number 10000011, which can then be checked to see which flags are set using binary AND).
• You have two closing ?>
• Your use of htmlentities will not protect you from any malicious entry, because you are already in a script tag. If someone changed markername to something like

  a;alert(1);var 

  that results in

   var a;alert(1);var Info = new google.maps.InfoWindow

  which is still perfectly valid JS, and will get through your htmlentities, but is a cross site scripting vulnerability (the attacker can execute arbitrary javascript inside your website). To solve this, I would suggest never using user input for variable names (use a random string, incrementing counter, or array), and send the user input to the page in a json encoded variable:

  var rows = '<?php echo json_encode($rows); ?>';
  var mapData = [];
  for (var i = 0; i < rows.length; i++) {
  	var newMap = {
  		marker: new google.maps.Marker({
  			position: {lat: rows[i].lat, long: rows[i].long},
  			map: map,
  			// etc
  		}),
  		info: new google.maps.InfoWindow({
  			content: rows[i].content
  		})
  	}
  	mapData.append(newMap);
  }

  Note: I've not tested this code, so you will probably need to make some adaptions to it to fix any errors. It should give you an idea for what I mean though.

[oliverguy]

21 hours ago, colonel_mortis said:

I'm not sure that this is your problem, but there are a few issues with that line:

• When using multiple flags, such as ENT_QUOTES and ENT_HTML5, you need to separate them with | rather than , because otherwise they are just different parameters. | is binary OR, which is used to combine flags (specifically, ENT_QUOTES in binary is 11, while ENT_HTML5 in binary is 10000000, so when ORed together, it gives the binary number 10000011, which can then be checked to see which flags are set using binary AND).
• You have two closing ?>
• Your use of htmlentities will not protect you from any malicious entry, because you are already in a script tag. If someone changed markername to something like

  hat results in

  which is still perfectly valid JS, and will get through your htmlentities, but is a cross site scripting vulnerability (the attacker can execute arbitrary javascript inside your website). To solve this, I would suggest never using user input for variable names (use a random string, incrementing counter, or array), and send the user input to the page in a json encoded variable:

  Note: I've not tested this code, so you will probably need to make some adaptions to it to fix any errors. It should give you an idea for what I mean though.

 

 

 

 

Thanks, I tried the fixes, still doesn't work.

 

As with the XSS vunrability the part where users input into the DB is already looking for script tags and won't let users enter data with then in, also its being used by a small number of people - all of which I will know personally - , so not open to the anyone on the web.

 

If I edit the database and just put in plain text then the code works flawlessly, this makes me even more confused. Also I didn't write this code (the person who did is also stuck by this issue). Are htmlentities, ENT_QUOTES and ENT_HTML5 correct? Its for a html string that looks like 

 

Quote

<p>Text about something...</p>

No quote marks or anything surrounding it at all.

 

Again, thanks for the help!

[vorticalbox]

11 minutes ago, oliverguy said:

 

Thanks, I tried the fixes, still doesn't work.

 

As with the XSS vunrability the part where users input into the DB is already looking for script tags and won't let users enter data with then in, also its being used by a small number of people - all of which I will know personally - , so not open to the anyone on the web.

 

If I edit the database and just put in plain text then the code works flawlessly, this makes me even more confused. Also I didn't write this code (the person who did is also stuck by this issue). Are htmlentities, ENT_QUOTES and ENT_HTML5 correct? Its for a html string that looks like 

 

No quote marks or anything surrounding it at all.

 

Again, thanks for the help!

If you can use plan text and it works why not change the system to use plan text?

[oliverguy]

2 minutes ago, vorticalbox said:

If you can use plan text and it works why not change the system to use plan text?

Because we need formatted text, bullet point and pictures specifically.

[vorticalbox]

1 minute ago, oliverguy said:

Because we need formatted text, bullet point and pictures specifically.

you could get users ti use bb code then use pup to change it after the fact? You might be able to do this with JavaScript too. Never tried with us though.

 

could maybe be an option?

[oliverguy]

1 hour ago, vorticalbox said:

you could get users ti use bb code then use pup to change it after the fact? You might be able to do this with JavaScript too. Never tried with us though.

 

could maybe be an option?

 

I'll have a look in to that, thanks