Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2012-07-24 03:59:34

TheEric
Plugin Author
From: Wyoming
Registered: 2004-09-17
Posts: 566

htmlspecialchars as it relates to txplib_forms.php && comment.php

I’ve been steadily working on a gallery plugin for TXP that works with the six different URL schemes. While dickering with the messy method, I came across a double-encoded string. (e.g., index.php?id=4&image=Penguins.jpg) which would break my plugin which relies upon the image value being set. In looking at the code, I came across the following:

comment.php @ line(s) ~213&214

n.hInput(‘backpage’, *htmlspecialchars*($url)) :
n.hInput(‘backpage’, *htmlspecialchars*($backpage));

and if you’ll notice in txplib_forms.php @ line ~147 (function fInput)

$o .= ‘ value=”’.*htmlspecialchars*($value).’”’;

Isn’t this a touch redundant?

Last edited by TheEric (2012-07-24 04:01:32)

Offline

#2 2012-07-24 07:40:28

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: htmlspecialchars as it relates to txplib_forms.php && comment.php

Yes, it’s redundant. I’ve filed issue report 230. A patch included.

TheEric wrote:

(e.g., index.php?id=4&image=Penguins.jpg)

Please see Plugin Development Guidelines. Please note that all plugin introduced URL parameters do need to be prefixed (e.g. image).

If the image’s name in the mentioned URL is the one managed by Textpattern, also note that those aren’t sanitized at all and may need to be urlencoded (or likewise) if used in an URL the prevent bad things from occurring.

Last edited by Gocom (2012-07-24 07:40:55)

Offline

#3 2012-07-24 14:00:58

TheEric
Plugin Author
From: Wyoming
Registered: 2004-09-17
Posts: 566

Re: htmlspecialchars as it relates to txplib_forms.php && comment.php

Thanks for the patch.

Last edited by TheEric (2012-07-24 14:01:24)

Offline

Board footer

Powered by FluxBB