b2evolution

Multilingual multiuser multi-blog engine
Home About Demo Download Hosting Extend Docs Forums
 HomeHome   SearchSearch   UsergroupsUsergroups   RegisterRegister   Log inLog in 
[FIXED] Bug in _misc.funcs.php - htmlspecialchars()

 
Post new topic   Reply to topic   printer-friendly view    b2evolution Forum Index -> Bug reports -> CVS & Preview releases
View previous topic :: View next topic  
Author Message
matthius
New Poster
New Poster

Joined: 08 Feb 2005
Posts: 15
Reputation: 15.3Reputation: 15.3 add or subtract from this member's reputationadd or subtract from this member's reputation
PostPosted: Wed Aug 17, 2005 14:31    Post subject: [FIXED] Bug in _misc.funcs.php - htmlspecialchars() Reply with quote
b2evolution dev team,

I am currently one of the crazy souls using the CVS version in a production environment. I know I deserve no pity... but I wanted to alert you to a problem in _misc.funcs.php,v 1.78 2005/08/09 15:22:40.

The function format_to_edit() makes use of htmlspecialchars(). This appears to be totally unnecessary and it breaks any links in the post when the post is edited.

The only thing that would need to be escaped is </textarea> which could be done with something like $result = preg_replace ("\</textarea>\i", "&amp;lt;/textarea&amp;gt;", $content); but even this is unnecessary because it appears code elsewhere always sanitizes $content properly.

Even with no sanitization in format_to_edit() something like </textarea> in the DB is properly escaped.



Keep up the good work!
- Matt
Back to top
View user's profile Send private message
fplanque
Core Developer
Core Developer

Joined: 13 Jun 2003
Posts: 863
Reputation: 193.4Reputation: 193.4 add or subtract from this member's reputationadd or subtract from this member's reputation
votes: 9
PostPosted: Thu Aug 18, 2005 10:06    Post subject: Reply with quote
Thanks for pointing to this.

I got rid of format_to_edit() completely. This functionnality is actually being taken care of by the Form class.

It should be fixed in CVS now.
_________________
François - Rambling on... State of the Evolution - fplanque.com
b2evolution project maintainer / main developer

Follow b2evolution on twitter and become a fan of b2evolution on facebook
Back to top
View user's profile Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic   printer-friendly view    b2evolution Forum Index -> CVS & Preview releases All times are GMT - 5 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
b2evolution Support Forum RSS Feed Forums powered by php Bulletin Board

b2evolution is maintained by François Planque / The Evo Factory · The forums are administered by whoo & Topanga · Contact · Team