Public area => Bug reports => The Pub => Test board => Topic started by: Anthony` on November 4th, 2012, 08:40 PM
Title: "hello world!"
Post by: Anthony` on November 4th, 2012, 08:40 PM
Blah blah don't mind me.
Title: Re: \
Post by: live627 on November 4th, 2012, 10:54 PM
do titled quote carry in repy subjects?
Posted: November 4th, 2012, 10:52 PM
yes! doing quick edit...
Title: Re: "hello world!"
Post by: Arantor on November 4th, 2012, 11:46 PM
Well... some time ago, it was decided to save a few bytes by not using the quot entity and by using bare " in subjects. The rest of the system was originally built with the assumption that it would be working on entity-encoded subjects rather than bare quotes and so it fails.
I fixed most of the cases, though in hindsight I should have just reverted the change in the first place because of security issues.
Title: Re: \
Post by: Nao on November 5th, 2012, 12:33 AM
So, should it be reverted or not..?
NB: the test board topics don't show up in the latest topics entry on the homepage. It only does for Pete and I, because we're special and the homepage accounts for us. :P
Title: Re: "hello world!"
Post by: Arantor on November 5th, 2012, 12:43 AM
I was never overly fond of it being changed in the first place, though IIRC I said I was fine with saving the few bytes per instance if there were no security implications.
Given how many bugs there are - and may still yet be found - I'd suggest we do revert it for both subjects and bodies to be saved with ENT_QUOTES.
Title: Re: "hello world!"
Post by: Nao on November 5th, 2012, 12:46 AM
Ooh... Dilemma. What's the alternative?
Title: Re: "hello world!"
Post by: Arantor on November 5th, 2012, 01:34 AM
The choice: saving a few bytes per quote which means you absolutely know the content is safe to be thrown around in inputs, or other form items or indeed via JS.
Or, fixing every time this comes up. I already had to put a work around into the display code so that the subject would be cleaned so quick reply would actually get this right.
I stand by what I said: I was fine with this all the time security's not an issue. Except we're half a step away from security issues with this. I'm *still* not entirely convinced there isn't an XSS bug lurking because of this, I never have been convinced of its being as secure as using htmlspecialchars with ENT_QUOTES everywhere and just being done with it.
Title: Re: "hello world!"
Post by: Anthony` on November 5th, 2012, 02:23 AM
Interesting, I didn't realize this was the situation regarding the encoding of subjects. I don't know about any XSS bugs but I will play around with that idea for a bit the next time I get a chance to.
Title: Re: "hello world!"
Post by: Arantor on November 5th, 2012, 03:54 AM
Yup, SMF forcibly encoded everything, it's been relaxed but it might become less relaxed again.
Title: Re:
Post by: live627 on March 10th, 2013, 01:42 AM
ttest
Posted: March 10th, 2013, 01:41 AM
huh, the damn titllw is gone
Title: Re:
Post by: Arantor on March 10th, 2013, 01:44 AM
That would be because we now have a ton of stuff in our DB here that is not properly escaped. Which for them means no practical difference.