Recent Topics

1 Aug 17, 2005 21:31    

b2evolution dev team,

I am currently one of the crazy souls using the CVS version in a production environment. I know I deserve no pity... but I wanted to alert you to a problem in _misc.funcs.php,v 1.78 2005/08/09 15:22:40.

The function format_to_edit() makes use of htmlspecialchars(). This appears to be totally unnecessary and it breaks any links in the post when the post is edited.

The only thing that would need to be escaped is </textarea> which could be done with something like $result = preg_replace ("\</textarea>\i", "&amp;lt;/textarea&amp;gt;", $content); but even this is unnecessary because it appears code elsewhere always sanitizes $content properly.

Even with no sanitization in format_to_edit() something like </textarea> in the DB is properly escaped.

Keep up the good work!
- Matt

2 Aug 18, 2005 17:06

Thanks for pointing to this.

I got rid of format_to_edit() completely. This functionnality is actually being taken care of by the Form class.

It should be fixed in CVS now.


Form is loading...