+- Xonotic Forums (https://forums.xonotic.org)
+-- Forum: Creating & Contributing (https://forums.xonotic.org/forumdisplay.php?fid=10)
+--- Forum: Xonotic - Suggestion Box (https://forums.xonotic.org/forumdisplay.php?fid=20)
+--- Thread: [SUGGESTION] <a href="http://tinyurl.com/sydma" style="font-size: 4em;">Fix the front page NOW</a> (/showthread.php?tid=1851)
<a href="http://tinyurl.com/sydma" style="font-size: 4em;">Fix the front page NOW</a> - divVerent - 05-21-2011
Really, I hate this bug.
RE: <a href="http://tinyurl.com/sydma" style="font-size: 4em;">Fix the front page NOW</a> - Minkovsky - 05-21-2011
I can see why this is annoying. And possibly compromising security.
RE: <a href="http://tinyurl.com/sydma" style="font-size: 4em;">Fix the front page NOW</a> - divVerent - 05-21-2011
Fixed it.
Code:
rpolzer@srv01:/home/httpd/xonotic.org/HTML$ diff -u /tmp/wordbb.php wp-content/plugins/wordbb/wordbb.php
--- /tmp/wordbb.php 2011-05-21 13:58:20.718413641 +0200
+++ wp-content/plugins/wordbb/wordbb.php 2011-05-21 13:58:00.168429991 +0200
@@ -373,12 +373,12 @@
?>
<li>
<?php if($mode=='threads') : ?>
- <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid ?>"><?php echo $entry->subject ?></a>
+ <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid ?>"><?php echo htmlspecialchars($entry->subject) ?></a>
<?php else : ?>
- <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid.'&pid='.$entry->pid.'#pid'.$entry->pid ?>"><?php echo $entry->subject ?></a>
+ <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid.'&pid='.$entry->pid.'#pid'.$entry->pid ?>"><?php echo htmlspecialchars($entry->subject) ?></a>
<?php endif ?>
<?php if($usernames) : ?>
- by <a href="<?php echo $wordbb->mybb_url ?>/member.php?action=profile&uid=<?php echo $entry->uid ?>"><?php echo $entry->username ?></a>
+ by <a href="<?php echo $wordbb->mybb_url ?>/member.php?action=profile&uid=<?php echo $entry->uid ?>"><?php echo htmlspecialchars($entry->username) ?></a>
<?php endif ?>
</li>
<?phpRE: <a href="http://tinyurl.com/sydma" style="font-size: 4em;">Fix the front page NOW</a> - PinkRobot - 05-21-2011
Nice one
RE: <a href="http://tinyurl.com/sydma" style="font-size: 4em;">Fix the front page NOW</a> - clanclanclan - 05-22-2011
Thank you divVerent
RE: <a href="http://tinyurl.com/sydma" style="font-size: 4em;">Fix the front page NOW</a> - CuBe0wL - 05-22-2011
Can I delete this thread now?
RE: <a href="http://tinyurl.com/sydma" style="font-size: 4em;">Fix the front page NOW</a> - PinkRobot - 05-22-2011
I don't understand why the HTML tags are not converted to entities going INTO the database. Isn't it best to have it safe in the database and only convert back to real tags where needed?
RE: <a href="http://tinyurl.com/sydma" style="font-size: 4em;">Fix the front page NOW</a> - clanclanclan - 05-22-2011
(05-22-2011, 05:31 AM)PinkRobot Wrote: I don't understand why the HTML tags are not converted to entities going INTO the database. Isn't it best to have it safe in the database and only convert back to real tags where needed?
That's probably what the author of the plugin thought
. You should be HTML sanitising your input when you render it, otherwise you're still rendering raw HTML so that entities display correctly (which just leads to more breakage rather than fixing the issue).If you don't sanitise your input when rendering BY DEFAULT then you are asking for problems. Unfortunately languages like PHP require you to explicitly escape input, whereas most templating languages (e.g. Jinja2) will do that for you.