Posts: 3,343
Threads: 83
Joined: Mar 2003
Aah crap... there's always something I'm forgetting... :lol:
wc: I take it you just ran the title text through htmlentities, right?
Posts: 1,138
Threads: 211
Joined: Feb 2020
No I simply did a replace of quote to the html equvialent.
Posts: 3,343
Threads: 83
Joined: Mar 2003
OK. When I get around to doing the javascript version, I'll add it in
Posts: 2,771
Threads: 96
Joined: Oct 2003
you know, when adding things like that, without placing a htmlentites or similar, it is very easy to write exploits, for example, if I had known about that bug before hand, i could have forwarded the entire General forum to a complete new site
You have to be careful about security loop holes.
Whitetiger showed me the importance of that a while ago.
Posts: 1,138
Threads: 211
Joined: Feb 2020
dark: There shouldn't have been any loophole/bug as html is turned off generally on the forum here. But I've used htmlentities now anyway ;-) Either way if theres probs let us know.
Posts: 2,771
Threads: 96
Joined: Oct 2003
html may be turned off in the posts, but can it not still be run from a tooltip, like that? I mean if you hadnt put in the fix, would this not work:
if i started the post with:
">Hijacked Thread name here</a>
surely that would actually work, no?
Posts: 838
Threads: 17
Joined: Jan 2002
as soon as you post that text, it gets run thru the php function htmlentities, which makes " to " < to < aso, therefore the browser interprets them as stuff to print on screen, and not anything to parse.
url=http://www.copy-pasta.com]CopyPasta[/url] -
FilePasta
Posts: 2,771
Threads: 96
Joined: Oct 2003
oh, so you mean it gets stored after htmlentites is run? Right.. that works i guess =) I was under the impression that html entities was run as the page was processed, which would explain why the quote mark made a mess of the tooltip, because wildcard might have forgotten to put Htmlentites for the tooltip.
Posts: 1,138
Threads: 211
Joined: Feb 2020
Not knowing phpBB/php very well I assume that the way phpBB checks/changes html to text doesn't include quotes, it may use html enities and leave quotes, I'm not sure.
Posts: 2,771
Threads: 96
Joined: Oct 2003
Quote:Not knowing phpBB/php very well I assume that the way phpBB checks/changes html to text doesn't include quotes, it may use html enities and leave quotes, I'm not sure.
That would explain the whole thing then. ok dokes!