Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: $HTML_SUBST problem in displayecard.php  (Read 9353 times)

0 Members and 1 Guest are viewing this topic.

Titooy

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Posts: 736
    • under construction...
$HTML_SUBST problem in displayecard.php
« on: December 23, 2005, 02:08:39 pm »

since $HTML_SUBST contains '&' => '&', all the &xxx; characters are broken in displayecard.php because of line 43
Code: [Select]
foreach($data as $key => $value) $data[$key] = strtr($value, $HTML_SUBST);
« Last Edit: August 15, 2006, 07:59:36 am by TranzNDance »
Logged

kat-long

  • Coppermine newbie
  • Offline Offline
  • Posts: 8
apostrophe in ecard message and title gets switched to '
« Reply #1 on: July 06, 2006, 07:42:22 am »

When you click on the ecard the link that takes you to the gallery, if you used an apostrophe in your title of message, it gets replaced with '
Try it it: http://206.125.210.89/cpg148/displayimage.php?album=3&pos=2
Logged

Sami

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 3686
  • BMossavari
    • My Project
Re: apostrophe in ecard message and title gets switched to '
« Reply #2 on: July 06, 2006, 07:50:12 am »

you are right
"Alternate link if the e-card does not display correctly" will send you to displaycard.php and here we have " instead of " (every special charcter get filtered)
I think it's a bug
Logged
‍I don't answer to PM with support question
Please post your issue to related board

Clanger

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: apostrophe in ecard message and title gets switched to '
« Reply #3 on: August 12, 2006, 07:02:04 pm »

Yes, I've noticed this too, it's not just the apostrophe, these characters are also a problem  "  &  <  >.

Doesn't matter where they appear, in the subject line, message body or sender name, always get switched.

Only a problem when viewed via displayecard.php.

Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: apostrophe in ecard message and title gets switched to &#39;
« Reply #4 on: August 13, 2006, 05:08:01 pm »

In displayecard.php:

FIND:
Code: [Select]
foreach($data as $key => $value) $data[$key] = strtr($value, $HTML_SUBST);

REPLACE with:
Code: [Select]
foreach($data as $key => $value) $data[$key] = html_entity_decode(strtr($value, $HTML_SUBST));

Since the encoding is a security feature, I'll need another dev to confirm it is okay to decode the html entities before committing the fix to svn.
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: $HTML_SUBST problem in displayecard.php
« Reply #5 on: August 13, 2006, 05:12:01 pm »

Merged two threads reporting the same issue. :)
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: $HTML_SUBST problem in displayecard.php
« Reply #6 on: August 14, 2006, 08:24:48 am »

Hm, this has to be considered thoroughly indeed: a link can only make it into those fields using bbcode, so we have to rely on the bbcode mechamisms to make sure no malevolent link can make it into the output. Imo, the code fix you suggested should go into the core, as there's nothing particularly different in ecards than in any other regular coppermine page that outputs user input on a page.
Yes, Thu: please go ahead and commit.
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: $HTML_SUBST problem in displayecard.php
« Reply #7 on: August 15, 2006, 07:59:14 am »

Fix committed to svn in stable and devel branches.
Logged

Nibbler

  • Guest
Re: $HTML_SUBST problem in displayecard.php
« Reply #8 on: October 27, 2006, 02:49:59 am »

html_entity_decode() is a PHP 4.3 function, you can't use that without raising the minimum requirements.

You can use

Code: [Select]
strtr($value, array_flip($HTML_SUBST));
instead.
Logged
Pages: [1]   Go Up
 

Page created in 0.017 seconds with 18 queries.