This topic was marked solved by its starter, on October 7th, 2012, 05:11 PM
I know it's been mentioned somewhere else but I wanted to discuss it here properly... eh, I did subsequently find it in the test board, http://wedge.org/pub/test/7303/test-topic/ where I mentioned the following:Quote Here's the problem: we don't re-encode it again in the display template. However, part of me thinks it would be better to re-encode it on saving and display the safe version at all times, rather than have potentially unsavoury content in the DB that could be used by plugin code that assumes it's safe like SMF does.
Thoughts?
Well, historically everything was done using htmlspecialchars with ENT_QUOTES so if it's not doing that now, there's a reason - and very likely that reason is code we've changed rather than code that's buggy in SMF.
Also note that the DB here isn't a true SMF database but one from Noisen's code which did have a lot of changes, and possibly including some that affected htmlspecialchars.
I'm fine with switching to ENT_NOQUOTES for such, provided that we can be certain there's no XSS injection risk. (There shouldn't be an SQL injection risk because of the query layer doing its own quoting.) It will certainly space some space (including the extra byte per row that I wanted to spend making it mediumtext ;))
Thoughts?