Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2012-07-24 03:59:34
- TheEric
- Plugin Author
- From: Wyoming
- Registered: 2004-09-17
- Posts: 566
htmlspecialchars as it relates to txplib_forms.php && comment.php
I’ve been steadily working on a gallery plugin for TXP that works with the six different URL schemes. While dickering with the messy method, I came across a double-encoded string. (e.g., index.php?id=4&image=Penguins.jpg) which would break my plugin which relies upon the image value being set. In looking at the code, I came across the following:
comment.php @ line(s) ~213&214
n.hInput(‘backpage’, *htmlspecialchars*($url)) :
n.hInput(‘backpage’, *htmlspecialchars*($backpage));
and if you’ll notice in txplib_forms.php @ line ~147 (function fInput)
$o .= ‘ value=”’.*htmlspecialchars*($value).’”’;
Isn’t this a touch redundant?
Last edited by TheEric (2012-07-24 04:01:32)
Offline
Re: htmlspecialchars as it relates to txplib_forms.php && comment.php
Yes, it’s redundant. I’ve filed issue report 230. A patch included.
TheEric wrote:
(e.g., index.php?id=4&image=Penguins.jpg)
Please see Plugin Development Guidelines. Please note that all plugin introduced URL parameters do need to be prefixed (e.g. image
).
If the image’s name in the mentioned URL is the one managed by Textpattern, also note that those aren’t sanitized at all and may need to be urlencoded (or likewise) if used in an URL the prevent bad things from occurring.
Last edited by Gocom (2012-07-24 07:40:55)
Offline
#3 2012-07-24 14:00:58
- TheEric
- Plugin Author
- From: Wyoming
- Registered: 2004-09-17
- Posts: 566
Re: htmlspecialchars as it relates to txplib_forms.php && comment.php
Thanks for the patch.
Last edited by TheEric (2012-07-24 14:01:24)
Offline