leftypol
/
leftypol
4
5
Fork 2
Code Issues 51 Pull Requests 1 Projects Releases Wiki Activity
Labels Milestones
New Issue

Determine best way to resolve double-escape in post editing #31

Closed
opened 3 years ago by leftypol · 3 comments
leftypol commented 3 years ago
Owner

See: https://github.com/towards-a-new-leftypol/leftypol_lainchan/issues/302

See: https://github.com/towards-a-new-leftypol/leftypol_lainchan/issues/302
leftypol added the
bug
 label 3 years ago
nonmakina commented 3 years ago
Collaborator

image

![image](/attachments/7655d3ef-e955-44da-a831-4e22ecd6450a)
image.png
397 KiB
discomrade commented 3 years ago
Collaborator

I have determined with confidence that the vichan fix is safe and correct.

The problem reported to lainchan was that editing a post subject could lead to HTML injection. https://github.com/lainchan/lainchan/issues/94

This same issue was noted by vichan a month later. https://github.com/vichan-devel/vichan/pull/230

antedeguemon correctly noted that the body is already sanitized and the email is saved using htmlspecialchars(). However the lainchan patcher used escaping on all the fields, resulting in double-escaping.

Escaping has to be done in the PHP rather than the HTML if $config[html_minify] is enabled (such as on Leftypol) or else there's no way to preserve newlines in posts (or other special whitespace).

(An alternative solution, possibly better and more internally consistent, is sanitize the name and subject files before storing. However this solution is simple and has no side effects to deal with, and brings it inline with vichan's development)

I have determined with confidence that the vichan fix is safe and correct. The problem reported to lainchan was that editing a post subject could lead to HTML injection. https://github.com/lainchan/lainchan/issues/94 This same issue was noted by vichan a month later. https://github.com/vichan-devel/vichan/pull/230 antedeguemon correctly noted that the body is already sanitized and the email is saved using `htmlspecialchars()`. However the lainchan patcher used escaping on all the fields, resulting in double-escaping. Escaping has to be done in the PHP rather than the HTML if `$config[html_minify]` is enabled (such as on Leftypol) or else there's no way to preserve newlines in posts (or other special whitespace). (An alternative solution, possibly better and more internally consistent, is sanitize the name and subject files before storing. However this solution is simple and has no side effects to deal with, and brings it inline with vichan's development)
discomrade commented 2 years ago
Collaborator

Closed by #54

Closed by https://git.leftypol.org/leftypol/leftypol/pulls/54
discomrade closed this issue 2 years ago
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
block_mass_delete_threads
config
display-appeal-src-ip
dockerize
fix-hud-dash
gitIgnore1
lazyLoading
safer-thread-move
tinyboard_noise
Labels
Apply labels
Clear labels
bug
Something is not working devops
Devops related, rather than software duplicate
This issue or pull request already exists feature request
New feature help wanted
Need some help invalid
Something is wrong question
More information is needed wontfix
This won't be fixed
No Label bug devops duplicate feature request help wanted invalid question wontfix
Milestone
Set milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Assign users
Clear assignees
No Assignees
3 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Write Preview
Loading…
Cancel
Save
There is no content yet.
Delete Branch '%!s(MISSING)'

Deleting a branch is permanent. It CANNOT be undone. Continue?

No
Yes