[pLog-svn] ugh. r6488 breaks our good old friends <, >, < in post text
Jon Daley
plogworld at jon.limedaley.com
Tue Feb 17 16:34:08 EST 2009
Hrm. Mark - it looks like your blog is using 1.2.9? Are you up-to-date?
I am wondering how Kevin (link below) is having encoding issues and you
aren't? Maybe he has something setup incorrectly?
On Tue, 17 Feb 2009, Jon Daley wrote:
> No answer? I'll just keep coding then.
>
> I'm having trouble with allowing HTML and a '<' in a comment. I am not sure
> how to get the bad-code-filtering and the XHTML checker to allow it. Right
> now, '<' and '>' are removed, since they are bad HTML. If we didn't allow
> HTML, but instead used a bbcode-variant, that would fix it, that then I could
> escape all HTML.
>
> On Fri, 13 Feb 2009, Jon Daley wrote:
>
>> I just noticed that due to the htmlDecode call in filterJavascript
>> for the postText, it (now, as of rev. 6488) converts < to < (in order to
>> catch the tricky javascript coders) and then the < is removed by the
>> xhtmlize() call later.
>> I first thought I could put a htmlentities() or htmlspecialchars() at
>> the end of filterJavascript(), but that causes all html entities to be
>> saved as non-html, ie. all < are converted to <
>> Maybe we do need to switchover to a new filter?
>>
>> And, please check out the following bug, which is likely the same issue as
>> what I just found. I see that no one has been testing 1.2.9? Are you all
>> still using insecure versions of LT (ie. 1.2.8 or 2.0?)
>>
>> http://bugs.lifetype.net/view.php?id=1579
>>
>>
>>
>>
>
>
--
Jon Daley
http://jon.limedaley.com
~~
"I think that too much media in the hands of one powerful entity
or one individual is a mistake. I think it runs counter to the
foundation of our country. I think it runs counter to the need
for Americans to know that they are getting news and information
from multiple sources that are not singularly controlled."
-- John Kerry, June 2004
More information about the pLog-svn
mailing list