Qbasicnews.com QbasicNews.Com Site/Forum Issues v
Topic titles missing

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Threaded Mode
Topic titles missing
oracle Offline
Posting Freak
*****
Posts: 3,343
Threads: 83
Joined: Mar 2003
#21
09-24-2004, 04:48 AM
Aah crap... there's always something I'm forgetting... :lol:

wc: I take it you just ran the title text through htmlentities, right?
size=9]Oracle
QBNZ | GeSHi - Generic Syntax Highlighter for PHP | PHPClasses[/size]
Website Find
Reply
wildcard Offline
Administrator
*******
Posts: 1,138
Threads: 211
Joined: Feb 2020
#22
09-24-2004, 11:58 AM
No I simply did a replace of quote to the html equvialent.
Find
Reply
oracle Offline
Posting Freak
*****
Posts: 3,343
Threads: 83
Joined: Mar 2003
#23
09-25-2004, 04:27 AM
OK. When I get around to doing the javascript version, I'll add it in Smile
size=9]Oracle
QBNZ | GeSHi - Generic Syntax Highlighter for PHP | PHPClasses[/size]
Website Find
Reply
KiZ Offline
Posting Freak
*****
Posts: 2,771
Threads: 96
Joined: Oct 2003
#24
09-25-2004, 05:15 PM
you know, when adding things like that, without placing a htmlentites or similar, it is very easy to write exploits, for example, if I had known about that bug before hand, i could have forwarded the entire General forum to a complete new site Wink You have to be careful about security loop holes.

Whitetiger showed me the importance of that a while ago.
Website Find
Reply
wildcard Offline
Administrator
*******
Posts: 1,138
Threads: 211
Joined: Feb 2020
#25
09-25-2004, 10:23 PM
dark: There shouldn't have been any loophole/bug as html is turned off generally on the forum here. But I've used htmlentities now anyway ;-) Either way if theres probs let us know.
Find
Reply
KiZ Offline
Posting Freak
*****
Posts: 2,771
Threads: 96
Joined: Oct 2003
#26
09-26-2004, 03:24 PM
html may be turned off in the posts, but can it not still be run from a tooltip, like that? I mean if you hadnt put in the fix, would this not work:

if i started the post with:

">Hijacked Thread name here</a>

surely that would actually work, no?
Website Find
Reply
Zap Offline
Posting Freak
*****
Posts: 838
Threads: 17
Joined: Jan 2002
#27
09-26-2004, 03:33 PM
as soon as you post that text, it gets run thru the php function htmlentities, which makes " to &quot; < to &lt; aso, therefore the browser interprets them as stuff to print on screen, and not anything to parse.
url=http://www.copy-pasta.com]CopyPasta[/url] - FilePasta
Find
Reply
KiZ Offline
Posting Freak
*****
Posts: 2,771
Threads: 96
Joined: Oct 2003
#28
09-26-2004, 08:02 PM
oh, so you mean it gets stored after htmlentites is run? Right.. that works i guess =) I was under the impression that html entities was run as the page was processed, which would explain why the quote mark made a mess of the tooltip, because wildcard might have forgotten to put Htmlentites for the tooltip.
Website Find
Reply
wildcard Offline
Administrator
*******
Posts: 1,138
Threads: 211
Joined: Feb 2020
#29
09-26-2004, 10:49 PM
Not knowing phpBB/php very well I assume that the way phpBB checks/changes html to text doesn't include quotes, it may use html enities and leave quotes, I'm not sure.
Find
Reply
KiZ Offline
Posting Freak
*****
Posts: 2,771
Threads: 96
Joined: Oct 2003
#30
09-27-2004, 06:29 PM
Quote:Not knowing phpBB/php very well I assume that the way phpBB checks/changes html to text doesn't include quotes, it may use html enities and leave quotes, I'm not sure.

That would explain the whole thing then. ok dokes!
Website Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)