Ticket #99 (closed defect: fixed)

Opened 8 years ago

Last modified 7 years ago

Edit notes should be fed through htmlspecialchars

Reported by: dartar Owned by: unassigned
Priority: normal Milestone:
Component: core Version:
Severity: normal Keywords: validation


I made a edit note: removed a <?php (to much) and got removed a . Perhaps replacing <> would be the better option? --NilsLindenberg

Funny - I just stumbled over the same problem - only in the RecentChanges newsfeed: the <?php causes imbalanced tags there, and thus a syntax error: until that post has "aged" off of the feed, it can't be loaded any more! The validation result clearly shows what the problem is. So yes, edit notes should be fed through htmlspecialchars[_ent]() everywhere they're presented, and that includes the RSS feed! --JavaWoman

And the WikiPing, too :) --NilsLindenberg

Oh is that what you removed Nils. I couldn't figure out using history what you did. Where did you take it from? And why? Did I have one more <?php than was necessary? In which code block? --GmBowen

It was at the beginning of mail.php:

<?php <?php

I guess you overlooked it when you copied your new version to the page. Happened to me in another case, too. --NilsLindenberg

Actually, the problem is not just with tags; any XML "special character" is going to cause an XML error. All will need to be escaped to ensure the RSS feeds and pings are valid XML. (We are having a problem again...) --JavaWoman


Fixed now: Code changes in wikka.php (GetPingParams()), actions/recentchanges.php, handlers/page/recentchanges.xml.php, handlers/page/recentchanges.xml.mm.php, handlers/page/revisions.php and handlers/page/revisions.xml.php . Installed on this server as "beta test" so we can watch behavior. --JavaWoman

Change History

Changed 8 years ago by DotMG

  • status changed from new to closed
  • resolution set to fixed

Fixed in [65]. + isolating i18n strings (For WikiPing, htmlspecialchars_ent used at WikiPing() instead of GetPingParams()

Changed 7 years ago by anonymous

Changed 7 years ago by BrianKoontz

  • status changed from reopened to closed
  • resolution set to fixed

Appears to have been inadverently reopened.

Note: See TracTickets for help on using tickets.