Xonotic Forums

Xonotic Forums > Creating & Contributing > Xonotic - Suggestion Box > <a href="http://tinyurl.com/sydma" style="font-size: 4em;">Fix the front page NOW</a>
Full Version: <a href="http://tinyurl.com/sydma" style="font-size: 4em;">Fix the front page NOW</a>
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

divVerent

05-21-2011, 05:25 AM
Really, I hate this bug.

Minkovsky

05-21-2011, 06:21 AM
I can see why this is annoying. And possibly compromising security.

divVerent

05-21-2011, 06:59 AM
Fixed it.

Code:
rpolzer@srv01:/home/httpd/xonotic.org/HTML$ diff -u /tmp/wordbb.php wp-content/plugins/wordbb/wordbb.php
--- /tmp/wordbb.php     2011-05-21 13:58:20.718413641 +0200
+++ wp-content/plugins/wordbb/wordbb.php        2011-05-21 13:58:00.168429991 +0200
@@ -373,12 +373,12 @@
?>
                <li>
                <?php if($mode=='threads') : ?>
-               <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid ?>"><?php echo $entry->subject ?></a>
+               <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid ?>"><?php echo htmlspecialchars($entry->subject) ?></a>
                <?php else : ?>
-               <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid.'&pid='.$entry->pid.'#pid'.$entry->pid ?>"><?php echo $entry->subject ?></a>
+               <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid.'&pid='.$entry->pid.'#pid'.$entry->pid ?>"><?php echo htmlspecialchars($entry->subject) ?></a>
                <?php endif ?>
                <?php if($usernames) : ?>
-               by <a href="<?php echo $wordbb->mybb_url ?>/member.php?action=profile&uid=<?php echo $entry->uid ?>"><?php echo $entry->username ?></a>
+               by <a href="<?php echo $wordbb->mybb_url ?>/member.php?action=profile&uid=<?php echo $entry->uid ?>"><?php echo htmlspecialchars($entry->username) ?></a>
                <?php endif ?>
                </li>
<?php

PinkRobot

05-21-2011, 04:16 PM
Nice one Smile

clanclanclan

05-22-2011, 02:27 AM
Thank you divVerent Heart

CuBe0wL

05-22-2011, 03:35 AM
Can I delete this thread now?

PinkRobot

05-22-2011, 05:31 AM
I don't understand why the HTML tags are not converted to entities going INTO the database. Isn't it best to have it safe in the database and only convert back to real tags where needed?

clanclanclan

05-22-2011, 06:39 AM
(05-22-2011, 05:31 AM)PinkRobot Wrote: [ -> ]I don't understand why the HTML tags are not converted to entities going INTO the database. Isn't it best to have it safe in the database and only convert back to real tags where needed?

That's probably what the author of the plugin thought Tongue. You should be HTML sanitising your input when you render it, otherwise you're still rendering raw HTML so that entities display correctly (which just leads to more breakage rather than fixing the issue).

If you don't sanitise your input when rendering BY DEFAULT then you are asking for problems. Unfortunately languages like PHP require you to explicitly escape input, whereas most templating languages (e.g. Jinja2) will do that for you.
Xonotic Forums > Creating & Contributing > Xonotic - Suggestion Box > <a href="http://tinyurl.com/sydma" style="font-size: 4em;">Fix the front page NOW</a>