Montego Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic
Author Message
Palbin
Newbie
Newbie



Joined: Nov 26, 2007
Posts: 25

PostPosted: Wed Aug 31, 2011 10:23 pm Reply with quote

Line 59 of admin/CategoryModify.php:
This needs to be removed as I think it is improperly stripping slashes.

gdFilter() is improperly stripping slashes and decoding entities.
Code:

$doStrip = (IN_RAVENNUKE && get_magic_quotes_gpc() == 1) ? true : false;

Needs changed to:
Code:

$doStrip = (IN_RAVENNUKE && get_magic_quotes_gpc() == 1) ? false : true;


Code:

return htmlspecialchars_decode(check_html($value, $strip));

Needs changed to:
Code:

return htmlspecialchars_decode(check_html($value, $strip), ENT_QUOTES);


Line 91 of public/index.php needs to have htmlspecialchars applied.
 
View user's profile Send private message
montego
Site Admin/Owner
Site Admin/Owner



Joined: Feb 12, 2005
Posts: 1399

PostPosted: Thu Sep 01, 2011 8:38 am Reply with quote

Thanks Palbin. I'll certainly take a look at these after I get HNL to you...

_________________
“To err is human, but when the eraser wears out ahead of the pencil, you’re overdoing it.”
-- Josh Jenkins 
View user's profile Send private message Visit poster's website
montego
Site Admin/Owner
Site Admin/Owner



Joined: Feb 12, 2005
Posts: 1399

PostPosted: Mon Sep 05, 2011 10:53 pm Reply with quote

Palbin,

The following change bothers me a bit so I would like a second look on it please:

Code:

return htmlspecialchars_decode(check_html($value, $strip), ENT_QUOTES);


I am not seeing where the current RN 2.40.01 kses code is encoding the QUOTES. I just tested both the single quote and double quotes and they are coming through with no encoding. Therefore, I wouldn't want/need this extra ENT_QUOTES? Are there any potential issues with decoding something that was never intended to be decoded? Not sure...

_________________
“To err is human, but when the eraser wears out ahead of the pencil, you’re overdoing it.”
-- Josh Jenkins 
View user's profile Send private message Visit poster's website
montego
Site Admin/Owner
Site Admin/Owner



Joined: Feb 12, 2005
Posts: 1399

PostPosted: Mon Sep 05, 2011 10:55 pm Reply with quote

BTW, also went a little further with the $doStrip... don't know what I was thinkin'. Here is what I ended up with (a bit more thorough and direct):

Code:

   if (!isset($doStrip)) {
      if (IN_RAVENNUKE) {
         $doStrip = false; // RavenNuke(tm)'s check_html() function will take care of stripping if needed so avoid doing it twice
      } else {
         $doStrip = (get_magic_quotes_gpc() == 1) ? true : false; // If not in RavenNuke(tm) and magic quotes are on, definitely need to strip.
      }
   }
   if ($doStrip) $value = stripslashes($value);


Regards.

_________________
“To err is human, but when the eraser wears out ahead of the pencil, you’re overdoing it.”
-- Josh Jenkins 
View user's profile Send private message Visit poster's website
Palbin
Newbie
Newbie



Joined: Nov 26, 2007
Posts: 25

PostPosted: Tue Sep 06, 2011 7:40 am Reply with quote

I always encode both types of quotes on the front-end so I then decode them on the back-end. I did not check, but I think you are using htmlspecialchars($content, ENT_QUOTES, _CHARSET) so you are also encoding both on the front-end. My question also would be why would someone want to show the entity name itself?
 
View user's profile Send private message
montego
Site Admin/Owner
Site Admin/Owner



Joined: Feb 12, 2005
Posts: 1399

PostPosted: Tue Sep 06, 2011 8:30 am Reply with quote

That bit of code, Palbin, in gdFilter() is strictly to address one problem and that is kses' normalization of certain entities which comes about when using check_html() with RN. I use htmlspecialchars() ONLY if I need to encode upon output and this is long after using gdFilter().

Therefore, I believe how I have it within gdFilter() is appropriate.

_________________
“To err is human, but when the eraser wears out ahead of the pencil, you’re overdoing it.”
-- Josh Jenkins 
View user's profile Send private message Visit poster's website
Palbin
Newbie
Newbie



Joined: Nov 26, 2007
Posts: 25

PostPosted: Tue Sep 06, 2011 2:35 pm Reply with quote

OK, I understand now.
 
View user's profile Send private message
montego
Site Admin/Owner
Site Admin/Owner



Joined: Feb 12, 2005
Posts: 1399

PostPosted: Tue Sep 06, 2011 3:12 pm Reply with quote

Cool.

I have one other small bug that Spastic mentioned to me in the DL blocks that I started researching this morning. I'll try and fix that one too unless you're in a hurry for the above tweaks. I have those done already.

_________________
“To err is human, but when the eraser wears out ahead of the pencil, you’re overdoing it.”
-- Josh Jenkins 
View user's profile Send private message Visit poster's website
Palbin
Newbie
Newbie



Joined: Nov 26, 2007
Posts: 25

PostPosted: Tue Sep 06, 2011 10:47 pm Reply with quote

No hurry.
 
View user's profile Send private message
Palbin
Newbie
Newbie



Joined: Nov 26, 2007
Posts: 25

PostPosted: Thu Sep 08, 2011 7:03 pm Reply with quote

You also need to remove rawurlencode () from the showresulting() function because it is causing problems the the homepage links in Popular and New.
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 4 Hours
 
Forums ©
linear-bunchlinear-bunch
linear-bunch