05-21-2011, 05:25 AM
05-21-2011, 06:21 AM
I can see why this is annoying. And possibly compromising security.
05-21-2011, 06:59 AM
Fixed it.
Code:
rpolzer@srv01:/home/httpd/xonotic.org/HTML$ diff -u /tmp/wordbb.php wp-content/plugins/wordbb/wordbb.php
--- /tmp/wordbb.php 2011-05-21 13:58:20.718413641 +0200
+++ wp-content/plugins/wordbb/wordbb.php 2011-05-21 13:58:00.168429991 +0200
@@ -373,12 +373,12 @@
?>
<li>
<?php if($mode=='threads') : ?>
- <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid ?>"><?php echo $entry->subject ?></a>
+ <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid ?>"><?php echo htmlspecialchars($entry->subject) ?></a>
<?php else : ?>
- <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid.'&pid='.$entry->pid.'#pid'.$entry->pid ?>"><?php echo $entry->subject ?></a>
+ <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid.'&pid='.$entry->pid.'#pid'.$entry->pid ?>"><?php echo htmlspecialchars($entry->subject) ?></a>
<?php endif ?>
<?php if($usernames) : ?>
- by <a href="<?php echo $wordbb->mybb_url ?>/member.php?action=profile&uid=<?php echo $entry->uid ?>"><?php echo $entry->username ?></a>
+ by <a href="<?php echo $wordbb->mybb_url ?>/member.php?action=profile&uid=<?php echo $entry->uid ?>"><?php echo htmlspecialchars($entry->username) ?></a>
<?php endif ?>
</li>
<?php
05-21-2011, 04:16 PM
Nice one
05-22-2011, 02:27 AM
Thank you divVerent
05-22-2011, 03:35 AM
Can I delete this thread now?
05-22-2011, 05:31 AM
I don't understand why the HTML tags are not converted to entities going INTO the database. Isn't it best to have it safe in the database and only convert back to real tags where needed?
05-22-2011, 06:39 AM
(05-22-2011, 05:31 AM)PinkRobot Wrote: [ -> ]I don't understand why the HTML tags are not converted to entities going INTO the database. Isn't it best to have it safe in the database and only convert back to real tags where needed?
That's probably what the author of the plugin thought . You should be HTML sanitising your input when you render it, otherwise you're still rendering raw HTML so that entities display correctly (which just leads to more breakage rather than fixing the issue).
If you don't sanitise your input when rendering BY DEFAULT then you are asking for problems. Unfortunately languages like PHP require you to explicitly escape input, whereas most templating languages (e.g. Jinja2) will do that for you.