Viewing Issue Advanced Details
[ Jump to Notes ]
[ Wiki ]
|
[ View Simple ]
[ Issue History ]
[ Print ]
|
ID |
Category |
Type |
Reproducibility |
Date Submitted |
Last Update |
0001437 |
[In-Portal CMS] Front End |
bug report |
always |
2012-11-05 11:31 |
2012-11-05 11:31 |
|
Reporter |
alex |
View Status |
public |
Project Name |
In-Portal CMS |
Assigned To |
|
Developer |
|
Priority |
normal |
Resolution |
open |
Platform |
|
Status |
active |
|
OS |
|
|
OS Version |
|
ETA |
none |
Fixed in Version |
|
Product Version |
5.1.0 |
|
Target Version |
5.3.0 |
Product Build |
|
Time Estimate | No estimate | |
|
Summary |
0001437: Prevent force-escaping of data on Front-End |
Description |
Preface:
In-Portal apply "htmlspecialchars" function on all input that comes from Front-End user.
This is good, but when submitted link name is "good & bad", then it will become "good & bad" in database and produce "/category/good-amp-bad.html" url. Both "&" and ";" are restricted symbols and are stripped from url, but "amp" stays.
Solution:
1. kHTTPQuery class - don't automatically encode all input that comes from Front-End
2. Front-End template - find every use of inp2: tag, that is glued into HTML markup (e.g. <input value="_INP_TAG_HERE_"/>) and add html_escape="1" to prevent " or ' from breaking down HTML tag
3. Scan all text fields in database and do htmlspecialchars_decode function on them no matter what's inside. I suppose that function is clever enough to keep existing field value if nothing needs to be replaced. |
Steps To Reproduce |
|
Additional Information |
|
Tags |
No tags attached. |
|
Reference |
https://groups.google.com/d/topic/in-portal-bugs/Xp1w4_As7hw/discussion |
Change Log Message |
Fixes forced-escaping of front-end input |
Estimate Points |
2 |
|
Attached Files |
|
|