HTML文本编辑器在网站上发生故障

时间:2015-10-10 19:36:00

标签: php html ckeditor wysiwyg text-editor

我的博客使用WYSIWYG文本编辑器添加内容。两个多月了,我一直在使用TinyMCE文本编辑器而没有任何问题。今天早些时候,当我在博客上发表文章时,我发现了一个奇怪的问题 -

  1. 我通过编辑器指定的任何对齐属性都被编辑器整体忽略,导致它以中心对齐方式发布所有内容。

  2. 更重要的是,我的文章中没有任何图片或链接被显示。

  3. 每次使用' " 字符时,它们前面都会出现\

  4. 仔细观察,发现这是没有显示图像的原因。指定的每个链接都将在发布时自动修改,如下所示 -

    原始链接

    https://fbcdn-sphotos-e-a.akamaihd.net/hphotos-ak-xtf1/v/t1.0-9/11986487_415295328664449_5126694793652411223_n.jpg?oh=2e74053db8bc3b2199d83bf70e20bb66&oe=56D18294&__gda__=1456294351_feed673783e94a2b2581dc30cb848aa9
    

    修改后的链接

    \"\\"https:/fbcdn-sphotos-e-a.akamaihd.net/hphotos-ak-xtf1/v/t1.0-9/11986487_415295328664449_5126694793652411223_n.jpg?oh=2e74053db8bc3b2199d83bf70e20bb66&oe=56D18294&__gda__=1456294351_feed673783e94a2b2581dc30cb848aa9\\"\" alt=\"\"
    

    我尝试将我的文本编辑器更改为CKEditor的文本编辑器无济于事。负责添加文章的代码似乎没有任何缺陷,我绝对感到困惑。它看起来像这样 -

    <!DOCTYPE html>
    <html>
    <head><!-- CDN hosted by Cachefly -->
    <a href='login_editor.php'>BACK</a>
    &nbsp;&nbsp;&nbsp;&nbsp;
    <a href='index.php'>SITE HOME </a>
    <title>Create an Article </title>
    
    <script src="tinymce/tinymce.min.js"></script>
    <script src="ckeditor/ckeditor.js"></script>
    
    <script>tinymce.init({selector:'#content,#summary',
    plugins: [
            "advlist autolink lists link image charmap print preview anchor",
            "searchreplace visualblocks code fullscreen",
            "insertdatetime media table contextmenu paste"
        ],
        toolbar: "insertfile undo redo | styleselect | bold italic | alignleft aligncenter alignright alignjustify | bullist numlist outdent indent | link image"
    
    });</script>
    
    </head>
    
    <body background='hsw.jpg'>
    
    
    <center>        
    <?php
    require 'database.php';
    session_start();
    echo $_SESSION['eid'];
    if(!isset($_SESSION['email'])) 
    
        echo "<script>window.location='login_editor.php'</script>";
    
    $a = $_SESSION['eid'];
    
          if($_SESSION['eid']==null) 
    
        echo "<script>window.location='login_editor.php'</script>";
    
    if(isset($_POST['add']))
    {
    
        $email =  $_SESSION['email'];
        $eid=$_SESSION['eid'];
    echo $eid;
    $title = $_POST['titleofarticle'];
    $titleimage=$_POST['titleimage'];
    $titleimage = "<img src='".$titleimage."'>";
    
    $summary = $_POST['summary'];
            $article = $_POST['content'];
    
                $pdo = Database::connect();
    echo $eid;
                $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
                $sql = "INSERT INTO editorials (eid,title,titleimage,summary,content) values(?, ?, ?, ?, ?)";
                $q = $pdo->prepare($sql);
                $q->execute(array($eid,$title,$titleimage,$summary,$article));
                Database::disconnect();
                echo "Article Submitted! Reloading this page in 5 sec.<script>setTimeout(function(){
           window.location='login_editor.php';
        }, 5000);</script>";
        }
    
    
    
    else
    {
    ?>
    <form method="post" action="<?php $_PHP_SELF ?>">
    <h3><font face="Small Fonts">Article Title</h3> <br>
            <input  name="titleofarticle" type="text" id="titleofarticle" required size="100"><br><br>
            <h3><font face="Small Fonts">Article Title Image</h3> <br>
            <input name="titleimage" type="text" id="titleimage" placeholder="Image URL" required size="100"> <br><br>
            <h3><font face="Small Fonts">Article Description - Appears Below The Title Image </h3> <br>
            <textarea name="summary" id="summary" rows="10" cols="80"></textarea><br>
            <script>
                    // Replace the <textarea id="editor1"> with a CKEditor
                    // instance, using default configuration.
                    CKEDITOR.replace( 'summary' );
                </script>
            <h3><font face="Small Fonts">Article Content</h3> <br>
            <textarea name="content" id="content" rows="10" cols="80"></textarea>
            <script>
                    // Replace the <textarea id="editor1"> with a CKEditor
                    // instance, using default configuration.
                    CKEDITOR.replace( 'content' );
                </script>
        <input name="add" type="submit" id="add" value="Submit">
    
    </form>
    
    
    <?php
    }
    ?>
    <hr><br>
    <a href='logout_editor.php'> LOGOUT </a>
    </body>
    </html>
    

    即使我尝试更新现有文章,也会出现同样的问题,这使得过去完美的旧文章更加糟糕。更新文章的代码显示为 -

    <?php
    session_start();
    if(!isset($_SESSION['email']))
        echo "<script>window.location='login_editor.php'</script>";
    $id=$_GET['id'];
    $eid=$_GET['eid'];
    
    if($_SESSION['eid']!=$eid)
        echo "<script>window.location='login_editor.php'</script>";
    
      require 'database.php';
     $pdo = Database::connect();
            $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
            $sql = "SELECT * FROM editorials where id = ?";
            $q = $pdo->prepare($sql);
            $q->execute(array($id));
            $data = $q->fetch(PDO::FETCH_ASSOC);
            $checkeid = $data['eid'];
            if($_SESSION['eid']!=$checkeid)
                echo "<script>window.location='login_editor.php'</script>";
    
            Database::disconnect();
    
    
    ?>
    
    <?php
    
    
    
    
    
        if ( !empty($_POST)) {
    
            // keep track post values
            $title = $_POST['title'];
            $titleimage_a = $_POST['titleimagelink'];
            $titleimage= "<img src='".$titleimage_a."'>";
            $summary = $_POST['summary'];
            $content = $_POST['content'];
    
    
                $pdo = Database::connect();
                $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
                $sql = "UPDATE editorials  set title = ?,titleimage = ?, summary = ?, content = ? WHERE id = ? AND eid=?";
                $q = $pdo->prepare($sql);
                $q->execute(array($title,$titleimage,$summary,$content,$id,$eid));
    
    
    
                Database::disconnect();
                header("Location: login_editor.php");
    
        }
    
        else {
            $pdo = Database::connect();
            $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
            $sql = "SELECT * FROM editorials where id = ?";
            $q = $pdo->prepare($sql);
            $q->execute(array($id));
            $data = $q->fetch(PDO::FETCH_ASSOC);
            $title = $data['title'];
            $titleimage = $data['titleimage'];
            $titleimagelink_temp=substr($titleimage,10);
            $titleimagelink=substr($titleimagelink_temp,0,-2);
            $summary = $data['summary'];
            $content = $data['content'];
    
            Database::disconnect();
        }
    ?>
    <!DOCTYPE html>
    <html lang="en">
    <head>
    <link rel="shortcut icon" type="image/x-icon" href="1442008266.ico">
    <title>Update</title>
        <meta charset="utf-8">
        <script src="js/jquery.js"></script>
        <link   href="css/bootstrap.min.css" rel="stylesheet">
        <script src="js/bootstrap.min.js"></script>
        <script type="text/javascript" src="http://tinymce.cachefly.net/4.2/tinymce.min.js"></script>
        <script src="ckeditor/ckeditor.js"></script>
    
    <script type="text/javascript">
    tinymce.init({
        selector: "#content,#summary",
        plugins: [
            "advlist autolink lists link image charmap print preview anchor",
            "searchreplace visualblocks code fullscreen",
            "insertdatetime media table contextmenu paste"
        ],
        toolbar: "insertfile undo redo | styleselect | bold italic | alignleft aligncenter alignright alignjustify | bullist numlist outdent indent | link image"
    });
    </script>
    </head>
    
    <body background='hsw.jpg'>
        <div class="container">
    
                    <div class="span10 offset1">
                        <div class="row">
                            <h3>Update Article</h3>
                        </div>
    
                        <form class="form-horizontal" action="editorupdate.php?id=<?php echo $id?>&eid=<?php echo $eid?>" method="post">
                          <div class="control-group">
                            <label class="control-label">Title :</label>
                            <div class="controls">
                                <input name="title" type="text" value="<?php echo $title?>" size="100">
    
                            </div>
                          </div>
                          <div class="control-group">
                            <label class="control-label">Title Image:</label>
                            <div class="controls">
                                <input name="titleimagelink" type="text" value="<?php echo $titleimagelink?>" size="100">
    
                            </div>
                          </div>
                          <div class="control-group">
                            <label class="control-label">Summary :</label>
                            <div class="controls">
                                <textarea name="summary" id="summary"><?php echo $summary?>
                                </textarea>
                                <script>
                    // Replace the <textarea id="editor1"> with a CKEditor
                    // instance, using default configuration.
                    CKEDITOR.replace( 'summary' );
                </script>
                            </div>
                          </div>
                          <div class="control-group">
                            <label class="control-label">Content :</label>
                            <div class="controls">
                                <textarea name="content"  id="content"><?php echo $content?>
                                </textarea>
                                <script>
                    // Replace the <textarea id="editor1"> with a CKEditor
                    // instance, using default configuration.
                    CKEDITOR.replace( 'content' );
                </script>
                            </div>
                          </div>
                          <div class="form-actions">
                              <button type="submit" class="btn btn-success">Update</button>
                              <a class="btn" href="login_editor.php">Back</a>
                            </div>
                        </form>
                    </div>
    
        </div> <!-- /container -->
      </body>
    </html>
    

    结果那么,一篇应该出现的文章 -

    enter image description here

    显示为 -

    enter image description here

    我已经累得筋疲力尽,试图找出原因。恢复到较旧的备份,使用Google工具扫描我的网站以查找恶意软件无济于事。虽然我的域名主机确实说他们在某处发现了恶意代码并建议我尝试使用200美元的工具来删除恶意软件。我抱怨了一下,另一个技术。支持代表调查了这个问题并说了这个 -

    enter image description here

    这似乎并不重要。可能的原因是什么?

1 个答案:

答案 0 :(得分:2)

我很惊讶这种情况有用:看起来好像有人降级了你的服务器/激活了magic quotes,但是:

  • 您正在将未经验证的内容存储在数据库中,然后将其输出为html,甚至不使用htmlspecialchars之类的内容来确保您的HTML不会中断;
  • 当您已将内容输出到浏览器时,尝试启动会话。

但是你最大的问题是你的脚本非常不安全:你在检查你的会话时使用的是javascript重定向,例如:

  if($_SESSION['eid']==null) 
      echo "<script>window.location='login_editor.php'</script>";

这意味着您的整个脚本会在浏览器中的重定向发生之前在服务器上执行

所以任何人都可以修改和添加文章,根本没有身份验证。

您应该检查脚本最顶层的有效会话,然后使用header重定向,然后使用exit;确保在找不到有效用户时不会执行任何操作。