"hello world!"
may I? »

Anthony`

  • Posts: 53
"hello world!"
« on November 4th, 2012, 08:40 PM »Last edited on November 4th, 2012, 08:52 PM
Blah blah don't mind me.

live627

  • Should five per cent appear too small / Be thankful I don't take it all / 'Cause I'm the taxman, yeah I'm the taxman
  • Posts: 1,667
Re: \
« Reply #1, on November 4th, 2012, 10:54 PM »
do titled quote carry in repy subjects?
Posted: November 4th, 2012, 10:52 PM

yes! doing quick edit...
A confident man keeps quiet.whereas a frightened man keeps talking, hiding his fear.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: "hello world!"
« Reply #2, on November 4th, 2012, 11:46 PM »
Well... some time ago, it was decided to save a few bytes by not using the quot entity and by using bare " in subjects. The rest of the system was originally built with the assumption that it would be working on entity-encoded subjects rather than bare quotes and so it fails.

I fixed most of the cases, though in hindsight I should have just reverted the change in the first place because of security issues.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

Nao

  • Dadman with a boy
  • Posts: 16,063
Re: \
« Reply #3, on November 5th, 2012, 12:33 AM »
So, should it be reverted or not..?

NB: the test board topics don't show up in the latest topics entry on the homepage. It only does for Pete and I, because we're special and the homepage accounts for us. :P

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: "hello world!"
« Reply #4, on November 5th, 2012, 12:43 AM »
I was never overly fond of it being changed in the first place, though IIRC I said I was fine with saving the few bytes per instance if there were no security implications.

Given how many bugs there are - and may still yet be found - I'd suggest we do revert it for both subjects and bodies to be saved with ENT_QUOTES.

Nao

  • Dadman with a boy
  • Posts: 16,063
Re: "hello world!"
« Reply #5, on November 5th, 2012, 12:46 AM »
Ooh... Dilemma.
What's the alternative?

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: "hello world!"
« Reply #6, on November 5th, 2012, 01:34 AM »
The choice: saving a few bytes per quote which means you absolutely know the content is safe to be thrown around in inputs, or other form items or indeed via JS.

Or, fixing every time this comes up. I already had to put a work around into the display code so that the subject would be cleaned so quick reply would actually get this right.

I stand by what I said: I was fine with this all the time security's not an issue. Except we're half a step away from security issues with this. I'm *still* not entirely convinced there isn't an XSS bug lurking because of this, I never have been convinced of its being as secure as using htmlspecialchars with ENT_QUOTES everywhere and just being done with it.

Anthony`

  • Posts: 53
Re: "hello world!"
« Reply #7, on November 5th, 2012, 02:23 AM »
Interesting, I didn't realize this was the situation regarding the encoding of subjects. I don't know about any XSS bugs but I will play around with that idea for a bit the next time I get a chance to.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: "hello world!"
« Reply #8, on November 5th, 2012, 03:54 AM »
Yup, SMF forcibly encoded everything, it's been relaxed but it might become less relaxed again.

live627

  • Should five per cent appear too small / Be thankful I don't take it all / 'Cause I'm the taxman, yeah I'm the taxman
  • Posts: 1,667
Re:
« Reply #9, on March 10th, 2013, 01:42 AM »
ttest
Posted: March 10th, 2013, 01:41 AM

huh, the damn titllw is gone

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re:
« Reply #10, on March 10th, 2013, 01:44 AM »
That would be because we now have a ton of stuff in our DB here that is not properly escaped. Which for them means no practical difference.