[pLog-svn] ugh. r6488 breaks our good old friends <, >, < in post text
Jon Daley
plogworld at jon.limedaley.com
Tue Feb 17 16:22:22 EST 2009
No answer? I'll just keep coding then.
I'm having trouble with allowing HTML and a '<' in a comment. I am not
sure how to get the bad-code-filtering and the XHTML checker to allow it.
Right now, '<' and '>' are removed, since they are bad HTML. If we didn't
allow HTML, but instead used a bbcode-variant, that would fix it, that
then I could escape all HTML.
On Fri, 13 Feb 2009, Jon Daley wrote:
> I just noticed that due to the htmlDecode call in filterJavascript
> for the postText, it (now, as of rev. 6488) converts < to < (in order to
> catch the tricky javascript coders) and then the < is removed by the
> xhtmlize() call later.
> I first thought I could put a htmlentities() or htmlspecialchars() at
> the end of filterJavascript(), but that causes all html entities to be saved
> as non-html, ie. all < are converted to <
> Maybe we do need to switchover to a new filter?
>
> And, please check out the following bug, which is likely the same issue as
> what I just found. I see that no one has been testing 1.2.9? Are you all
> still using insecure versions of LT (ie. 1.2.8 or 2.0?)
>
> http://bugs.lifetype.net/view.php?id=1579
>
>
>
>
--
Jon Daley
http://jon.limedaley.com
~~
Anything that is designed to do more than
one thing can't do any of them well.
More information about the pLog-svn
mailing list