$record['data'] isn't escaped to be shown on HTML

[marado]

I noticed this on brzones.php, where we do, without any escaping, something like this:

<INPUT type="text" value="$record['data']">

The problem with this is that $record['data'] (specially in the case of TXT records) can have ruinous characters, like ". So, if we have a TXT record saying this is an "example", our HTML will be:

<input type="text" value="this is an "example"">

Which is obviously wrong, and can even lead to data loss.

[marado]

According to RFC 1035:

<character-string> is expressed in one or two ways: as a contiguous set of characters without interior spaces, or as a string beginning with a " and ending with a ". Inside a " delimited string any character can occur, except for a " itself, which must be quoted using \ (back slash).

So, my example was wrong: a TXT record saying this is an "example" needs to be inserted as "this is an "example"". Of course, this doesn't quite comply with what we have been doing right now: we have been accepting TXT records with interior spaces. But, just because servers are usually relaxed about our records it doesn't mean we shouldn't be strict generating them. So, my proposal:

1. accept any kind of input in a TXT field, but:
   1.1 - if it starts with ", we need to validate it, checking if it is composed or not by a number of character-strings. I Mean, the record must be either something like "example one" or "example two" "can have more" "than one" "string";
   1.2 - if it doesn't start with ", convert it to do so. I mean, entry would be turned into "entry", and another "entry" would be converted into "another" "entry";
2. validate all TXT results, only accept valid TXT records (I mean, records that comply with the RFC section I've quoted);
3. allways convert text2html the record when you're going to display it on the interface, but
4. escape the record when you're putting it on an input field.

[bevhost]

One solution might be to use a textarea element instead. I would be in favour of this especially if it was just called data and includes pref weight port etc, so for example it was the entire data record.
So if the record type was MX the data field might contain "10 mail"

Another solution might be to simply have a standard where the TXT record contains no " characters and the record has them added by the export routine.

I think the second approach would be easier, but it depends on whether you need " in the middle of the string, which would not be possible except with the first approach.

[bevhost]

in 1.2; another "entry" should be converted into "another "entry"";