[SUGGESTION] <a href="http://tinyurl.com/sydma" style="font-size: 4em;">Fix the front page NOW</a>

Really, I hate this bug.

I can see why this is annoying. And possibly compromising security.

Fixed it.

Code:

rpolzer@srv01:/home/httpd/xonotic.org/HTML$ diff -u /tmp/wordbb.php wp-content/plugins/wordbb/wordbb.php
--- /tmp/wordbb.php     2011-05-21 13:58:20.718413641 +0200
+++ wp-content/plugins/wordbb/wordbb.php        2011-05-21 13:58:00.168429991 +0200
@@ -373,12 +373,12 @@
?>
                <li>
                <?php if($mode=='threads') : ?>
-               <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid ?>"><?php echo $entry->subject ?></a>
+               <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid ?>"><?php echo htmlspecialchars($entry->subject) ?></a>
                <?php else : ?>
-               <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid.'&pid='.$entry->pid.'#pid'.$entry->pid ?>"><?php echo $entry->subject ?></a>
+               <a href="<?php echo $wordbb->mybb_url.'/showthread.php?tid='.$entry->tid.'&pid='.$entry->pid.'#pid'.$entry->pid ?>"><?php echo htmlspecialchars($entry->subject) ?></a>
                <?php endif ?>
                <?php if($usernames) : ?>
-               by <a href="<?php echo $wordbb->mybb_url ?>/member.php?action=profile&uid=<?php echo $entry->uid ?>"><?php echo $entry->username ?></a>
+               by <a href="<?php echo $wordbb->mybb_url ?>/member.php?action=profile&uid=<?php echo $entry->uid ?>"><?php echo htmlspecialchars($entry->username) ?></a>
                <?php endif ?>
                </li>
<?php

Nice one

Thank you divVerent

Can I delete this thread now?

I don't understand why the HTML tags are not converted to entities going INTO the database. Isn't it best to have it safe in the database and only convert back to real tags where needed?

I don't understand why the HTML tags are not converted to entities going INTO the database. Isn't it best to have it safe in the database and only convert back to real tags where needed?

That's probably what the author of the plugin thought . You should be HTML sanitising your input when you render it, otherwise you're still rendering raw HTML so that entities display correctly (which just leads to more breakage rather than fixing the issue).

If you don't sanitise your input when rendering BY DEFAULT then you are asking for problems. Unfortunately languages like PHP require you to explicitly escape input, whereas most templating languages (e.g. Jinja2) will do that for you.