Aah crap... there's always something I'm forgetting... :lol:
wc: I take it you just ran the title text through htmlentities, right?
No I simply did a replace of quote to the html equvialent.
OK. When I get around to doing the javascript version, I'll add it in
you know, when adding things like that, without placing a htmlentites or similar, it is very easy to write exploits, for example, if I had known about that bug before hand, i could have forwarded the entire General forum to a complete new site
You have to be careful about security loop holes.
Whitetiger showed me the importance of that a while ago.
dark: There shouldn't have been any loophole/bug as html is turned off generally on the forum here. But I've used htmlentities now anyway ;-) Either way if theres probs let us know.
html may be turned off in the posts, but can it not still be run from a tooltip, like that? I mean if you hadnt put in the fix, would this not work:
if i started the post with:
">Hijacked Thread name here</a>
surely that would actually work, no?
as soon as you post that text, it gets run thru the php function htmlentities, which makes " to " < to < aso, therefore the browser interprets them as stuff to print on screen, and not anything to parse.
oh, so you mean it gets stored after htmlentites is run? Right.. that works i guess =) I was under the impression that html entities was run as the page was processed, which would explain why the quote mark made a mess of the tooltip, because wildcard might have forgotten to put Htmlentites for the tooltip.
Not knowing phpBB/php very well I assume that the way phpBB checks/changes html to text doesn't include quotes, it may use html enities and leave quotes, I'm not sure.
Quote:Not knowing phpBB/php very well I assume that the way phpBB checks/changes html to text doesn't include quotes, it may use html enities and leave quotes, I'm not sure.
That would explain the whole thing then. ok dokes!