Wikka : Mod026bDoubleDoubleQuoteInsecurity

HomePage :: Categories :: Index :: Changes :: Comments :: Documentation :: Blog :: Login/Register

Wikka Mod 026

Type: Bug Fix

Credit:

Joe Delaney
http://www.rci.rutgers.edu/~jpd/wakka/SomeChanges (archived)

Double Double-quote insecurity
It was possible to insert xhtml or other escaped code using double double-quotes. This has been stopped by changing
formatters/wakka.php line to use htmlspecialchars.

More changes along this line might be necessary, with htmlspecialchars() being used or (url encoding) any time text is passed straight through the formatter (urls into a link, for example).


Change:
return $matches[1];
to
return htmlspecialchars($matches[1]);

formatters/wakka.php
        // escaped text
        else if (preg_match("/^\"\"(.*)\"\"$/s", $thing, $matches))
        {
            return htmlspecialchars($matches[1]);
        }
There are no comments on this page. [Add comment]
Stats :: 2008-01-28 00:14:45 XML :: Owner: JsnX :: Search: 
Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by WikkaWiki
Page was generated in 0.3715 seconds