antedeguemon correctly noted that the body is already sanitized and the email is saved using htmlspecialchars(). However the lainchan patcher used escaping on all the fields, resulting in double-escaping.
Escaping has to be done in the PHP rather than the HTML if $config[html_minify] is enabled (such as on Leftypol) or else there's no way to preserve newlines in posts (or other special whitespace).
(An alternative solution, possibly better and more internally consistent, is sanitize the name and subject files before storing. However this solution is simple and has no side effects to deal with, and brings it inline with vichan's development)
I have determined with confidence that the vichan fix is safe and correct.
The problem reported to lainchan was that editing a post subject could lead to HTML injection. https://github.com/lainchan/lainchan/issues/94
This same issue was noted by vichan a month later. https://github.com/vichan-devel/vichan/pull/230
antedeguemon correctly noted that the body is already sanitized and the email is saved using `htmlspecialchars()`. However the lainchan patcher used escaping on all the fields, resulting in double-escaping.
Escaping has to be done in the PHP rather than the HTML if `$config[html_minify]` is enabled (such as on Leftypol) or else there's no way to preserve newlines in posts (or other special whitespace).
(An alternative solution, possibly better and more internally consistent, is sanitize the name and subject files before storing. However this solution is simple and has no side effects to deal with, and brings it inline with vichan's development)
See: https://github.com/towards-a-new-leftypol/leftypol_lainchan/issues/302
I have determined with confidence that the vichan fix is safe and correct.
The problem reported to lainchan was that editing a post subject could lead to HTML injection. https://github.com/lainchan/lainchan/issues/94
This same issue was noted by vichan a month later. https://github.com/vichan-devel/vichan/pull/230
antedeguemon correctly noted that the body is already sanitized and the email is saved using
htmlspecialchars()
. However the lainchan patcher used escaping on all the fields, resulting in double-escaping.Escaping has to be done in the PHP rather than the HTML if
$config[html_minify]
is enabled (such as on Leftypol) or else there's no way to preserve newlines in posts (or other special whitespace).(An alternative solution, possibly better and more internally consistent, is sanitize the name and subject files before storing. However this solution is simple and has no side effects to deal with, and brings it inline with vichan's development)
Closed by #54