This topic was marked solved by live627, on March 9th, 2013, 11:28 PM
« Serious error - current theme
Minor Quick Edit Bug
SMF bug 4859 (Text limit not necessarily enforced properly) »

Anthony`

  • Posts: 53
Minor Quick Edit Bug
« on November 4th, 2012, 09:16 PM »
It seems when I try to quick edit a post with double quotes (") in it, the Javascript has an issue with the quote(s) and instead replaces the entire title textbox with a slash (\). Possible escape issue? Every other special character on my keyboard works fine.

I made a test topic for this here,
http://wedge.org/pub/test/7658/hello-world/msg282990/#msg282990
Just click on the quick edit icon and look at the title's textbox.

📎 khjkhjk.jpg - 26.19 kB, 677x501, viewed 281 times.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Minor Quick Edit Bug
« Reply #2, on February 20th, 2013, 05:59 AM »
And this is actually still broken :/ Quick edit never got fixed, it seems.

The cause of this is in the way the content is converted by:
Code: [Select]
oCurSubjectDiv = $('#msg' + sCurMessageId + ' h5');
sSubjectBuffer = oCurSubjectDiv.html();

If the subject is entity escaped, there's no problem, it absolutely works as expected.

* Arantor is sorely tempted to just forcibly encode everything back with ENT_QUOTES how it used to be because nothing broke when that happened, there were no strange necessities of workarounds or anything like we have now, fixing every edge case when it appears.

I won't do it tomorrow, I'm out most of tomorrow but on Thursday I'm advising now that I'm going to do it and frankly I don't care about the extra bytes (most of which will be gzipped out anyway, or if we hide the subject it will be even less of a problem anyway). I am fed up with having to dance around security matters for the saving of a few bytes.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

Anthony`

  • Posts: 53
Re: Minor Quick Edit Bug
« Reply #3, on February 20th, 2013, 10:17 PM »
I see, so the error makes good sense in terms of entity-escaping issues. I think that's the way to go to be honest, because it is quite easy to leave an unintended security flaw.

Nao

  • Dadman with a boy
  • Posts: 16,082
Re: Minor Quick Edit Bug
« Reply #4, on February 21st, 2013, 06:53 PM »
What? Never got fixed..?
I thought I'd touched something like that not so long ago...

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Minor Quick Edit Bug
« Reply #5, on February 21st, 2013, 06:55 PM »
It never got fixed.

I fixed most of the issues by re-forcing westr::safe with ENT_QUOTES on some of the places, notably quick reply, full reply in some other cases, but I forgot that.

As far as I'm concerned we should just be forcing it on save regardless. Safe by default, and damn the byte cost for once.
« Serious error - current theme
SMF bug 4859 (Text limit not necessarily enforced properly) »