09-24-2004, 04:48 AM
09-24-2004, 11:58 AM
No I simply did a replace of quote to the html equvialent.
09-25-2004, 04:27 AM
OK. When I get around to doing the javascript version, I'll add it in
09-25-2004, 05:15 PM
you know, when adding things like that, without placing a htmlentites or similar, it is very easy to write exploits, for example, if I had known about that bug before hand, i could have forwarded the entire General forum to a complete new site You have to be careful about security loop holes.
Whitetiger showed me the importance of that a while ago.
Whitetiger showed me the importance of that a while ago.
09-25-2004, 10:23 PM
dark: There shouldn't have been any loophole/bug as html is turned off generally on the forum here. But I've used htmlentities now anyway ;-) Either way if theres probs let us know.
09-26-2004, 03:24 PM
html may be turned off in the posts, but can it not still be run from a tooltip, like that? I mean if you hadnt put in the fix, would this not work:
if i started the post with:
">Hijacked Thread name here</a>
surely that would actually work, no?
if i started the post with:
">Hijacked Thread name here</a>
surely that would actually work, no?
09-26-2004, 03:33 PM
as soon as you post that text, it gets run thru the php function htmlentities, which makes " to " < to < aso, therefore the browser interprets them as stuff to print on screen, and not anything to parse.
09-26-2004, 08:02 PM
oh, so you mean it gets stored after htmlentites is run? Right.. that works i guess =) I was under the impression that html entities was run as the page was processed, which would explain why the quote mark made a mess of the tooltip, because wildcard might have forgotten to put Htmlentites for the tooltip.
09-26-2004, 10:49 PM
Not knowing phpBB/php very well I assume that the way phpBB checks/changes html to text doesn't include quotes, it may use html enities and leave quotes, I'm not sure.
09-27-2004, 06:29 PM
Quote:Not knowing phpBB/php very well I assume that the way phpBB checks/changes html to text doesn't include quotes, it may use html enities and leave quotes, I'm not sure.
That would explain the whole thing then. ok dokes!