Thunderstone Support Forums

I have a discussion forum with a submission form. When a user submits a text with quotes ("), Vortex escapes it and saves it as ". This is OK, but when the message is displayed, Vortex also escapes the ampersand (&), making quotes look like " (in HTML: ").

I've tried fixing this with <fmtcp SANDBLAST "&" "&">, but fmtcp doesn't recognize the &.

How can I fix this?

Vortex only html escapes data when it is "displayed". So if you are inserting into a database record you will store exactly what the user typed. If you're saving to a file with <write> or <exec> or similar you are subject to the html escapement unless you use <fmt "%s"> or <send>.

What steps does the user input go though in your script to save and then later to display?

Thank you for your quick response. The form data are obtained with <varinfo list content>, transferred to variables with <getvar ...> and written to a file with <WRITE ...>$varname</WRITE>.

I've found that I actually need quotes to be escaped when written to file, as some of it will be attributes in HTML tags.
Therefore, I need some mechanism to unescape it when displayed. I print out the file using this code:
<read $filename>
<$file = $ret>
<$search = (some tags I want to replace)>
<$call (functions for replacement)>
<fmtcp SANDCALL NOESC $search $call>
<sb>$file</sb>.

The search/replace functions work fine for everything but quotes. I've tried things like <$search =... "#26amp;"> and <$search = ... "\x26amp;"> to get to the "&" in "&quote;", but it isn't recognized.

Any help would be greatly appreciated.

The quotes are " not &. The & only gets output when trying to output ". You should search for " and then output a literal " or " according to your needs.

When I search for """ it isn't recognized. Can I really write something like this:
<fmtcp SANDCALL NOESC """ "quotfunc">
...
<a name=quotfunc>
"
</a>

Yes, that will replace `"' with `"'.

Are you sure that one of the other search expressions isn't overlapping `"' in the text when it matches? Ie. if the `"' occurs inside a tag which is being matched by another SANDCALL expression in your list, then that tag's callback might be printing the `"' as-is, before your `"' search matches. You might have to do the `"'-to-`"' replacement in one pass, then <CAPTURE> that and do your tag replacement. .

Actually, I think you don't need to un-escape the `"' at all: if you <send> or <fmt "%s"> your variables in your SANDCALL callbacks instead of printing as $var, then the `"' will not get double-escaped. (Ie. the real problem seems to be avoiding not the first `"'-to-`"' escapement on writing the file, but the second `"'-to-`&quot;' escapement on printing.)