Entity and Filtering Issues

Newbie Joined: Nov 26, 2007 Posts: 22

Line 59 of admin/CategoryModify.php:
This needs to be removed as I think it is improperly stripping slashes.

gdFilter() is improperly stripping slashes and decoding entities.

Code:

$doStrip = (IN_RAVENNUKE && get_magic_quotes_gpc() == 1) ? true : false;

Needs changed to:

Code:

$doStrip = (IN_RAVENNUKE && get_magic_quotes_gpc() == 1) ? false : true;

Code:

return htmlspecialchars_decode(check_html($value, $strip));

Needs changed to:

Code:

return htmlspecialchars_decode(check_html($value, $strip), ENT_QUOTES);

Line 91 of public/index.php needs to have htmlspecialchars applied.

Site Admin/Owner Joined: Feb 12, 2005 Posts: 1294

Thanks Palbin. I'll certainly take a look at these after I get HNL to you...

Site Admin/Owner Joined: Feb 12, 2005 Posts: 1294

Palbin,

The following change bothers me a bit so I would like a second look on it please:

Code:

return htmlspecialchars_decode(check_html($value, $strip), ENT_QUOTES);

I am not seeing where the current RN 2.40.01 kses code is encoding the QUOTES. I just tested both the single quote and double quotes and they are coming through with no encoding. Therefore, I wouldn't want/need this extra ENT_QUOTES? Are there any potential issues with decoding something that was never intended to be decoded? Not sure...

Site Admin/Owner Joined: Feb 12, 2005 Posts: 1294

BTW, also went a little further with the $doStrip... don't know what I was thinkin'. Here is what I ended up with (a bit more thorough and direct):

Code:

if (!isset($doStrip)) {
   if (IN_RAVENNUKE) {
      $doStrip = false; // RavenNuke(tm)'s check_html() function will take care of stripping if needed so avoid doing it twice
   } else {
      $doStrip = (get_magic_quotes_gpc() == 1) ? true : false; // If not in RavenNuke(tm) and magic quotes are on, definitely need to strip.
   }
}
if ($doStrip) $value = stripslashes($value);

Regards.

Newbie Joined: Nov 26, 2007 Posts: 22

I always encode both types of quotes on the front-end so I then decode them on the back-end. I did not check, but I think you are using htmlspecialchars($content, ENT_QUOTES, _CHARSET) so you are also encoding both on the front-end. My question also would be why would someone want to show the entity name itself?

Site Admin/Owner Joined: Feb 12, 2005 Posts: 1294

That bit of code, Palbin, in gdFilter() is strictly to address one problem and that is kses' normalization of certain entities which comes about when using check_html() with RN. I use htmlspecialchars() ONLY if I need to encode upon output and this is long after using gdFilter().

Therefore, I believe how I have it within gdFilter() is appropriate.

Newbie Joined: Nov 26, 2007 Posts: 22

OK, I understand now.

Site Admin/Owner Joined: Feb 12, 2005 Posts: 1294

Cool.

I have one other small bug that Spastic mentioned to me in the DL blocks that I started researching this morning. I'll try and fix that one too unless you're in a hurry for the above tweaks. I have those done already.

Newbie Joined: Nov 26, 2007 Posts: 22

No hurry.

Newbie Joined: Nov 26, 2007 Posts: 22

You also need to remove rawurlencode () from the showresulting() function because it is causing problems the the homepage links in Popular and New.