Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Apostrophes/single quotes in article titles
etc wrote:
That’s what I thought too, but I’m testing and retesting – it works. Could somebody confirm?
As Julián says, it shouldn’t work. If it works, you have some type of extra parser call, an additional parser and/or unsanitizer somewhere running, most likely doing of a plugin.
When double quotes are used, the contents are treated and returned as it is. Nothing is parsed. Permlink tag also returns contents sanitized, so there is no change them being parsed by anything after that point. Normally you would need to use single quotes when an attribute value contains tags.
In other words, if the double quoted values are parsed even when sanitized, I would advice looking into what causes that ASAP if you use same plugins/code on live installations. Because if that is truly happening, you may have some pretty serious security issue laying there. If that same happens to user-defined content (e.g. search query value), well, that’s no good.
Last edited by Gocom (2012-09-15 20:44:14)
Offline
Re: Apostrophes/single quotes in article titles
Gocom wrote:
As Julián says, it shouldn’t work. If it works, you have some type of extra parser call, an additional parser and/or unsanitizer somewhere running, most likely doing of a plugin.
Guys, I agree it shouldn’t work, and it doesn’t on another localhost site, but it works on at least one of them (4.4.1 on wamp). Globally disabled plugins, php, installed vanilla page/article forms, even emptied cache – it’s still there. Even funnier: <txp:permlink title='<txp:title />'><txp:title /></txp:permlink> gives me true quotes in tooltip, not ' ; or " ;.
I have changed one line in publish.php, but it has nothing to do with parsing. That’s weird.
Edit: and it does not work on the remote from which the site has been imported, though they have diverged since.
Last edited by etc (2012-09-16 09:39:55)
Offline
Re: Apostrophes/single quotes in article titles
Looks like this weirdness happens only with the title attribute of <txp:permlink />, and only in 4.4.1. I have tested other tags/attributes – everything works as expected there.
Offline
Re: Apostrophes/single quotes in article titles
As I see it now, in 4.4.1 the attributes title, style and class of permlink() were not htmlspecialchars’ed, so they probably get parsed on secondpass. This was patched in 4.5, so we are all half right half wrong here.
So I second Jukka, there is a (well, minor) security issue in 4.4.1 here.
Last edited by etc (2012-09-16 13:22:23)
Offline