[pLog-svn] ugh. r6488 breaks our good old friends <, >, &lt; in post text

Jon Daley plogworld at jon.limedaley.com
Tue Feb 17 16:34:08 EST 2009


Hrm.  Mark - it looks like your blog is using 1.2.9?  Are you up-to-date? 
I am wondering how Kevin (link below) is having encoding issues and you 
aren't?  Maybe he has something setup incorrectly?

On Tue, 17 Feb 2009, Jon Daley wrote:

> No answer?  I'll just keep coding then.
>
> I'm having trouble with allowing HTML and a '<' in a comment.  I am not sure 
> how to get the bad-code-filtering and the XHTML checker to allow it. Right 
> now, '<' and '>' are removed, since they are bad HTML.  If we didn't allow 
> HTML, but instead used a bbcode-variant, that would fix it, that then I could 
> escape all HTML.
>
> On Fri, 13 Feb 2009, Jon Daley wrote:
>
>> 	I just noticed that due to the htmlDecode call in filterJavascript 
>> for the postText, it (now, as of rev. 6488) converts &lt; to < (in order to 
>> catch the tricky javascript coders) and then the < is removed by the 
>> xhtmlize() call later.
>> 	I first thought I could put a htmlentities() or htmlspecialchars() at 
>> the end of filterJavascript(), but that causes all html entities to be 
>> saved as non-html, ie. all < are converted to &lt;
>> 	Maybe we do need to switchover to a new filter?
>> 
>> And, please check out the following bug, which is likely the same issue as 
>> what I just found.  I see that no one has been testing 1.2.9?  Are you all 
>> still using insecure versions of LT (ie. 1.2.8 or 2.0?)
>> 
>> http://bugs.lifetype.net/view.php?id=1579
>> 
>> 
>> 
>> 
>
>

-- 
Jon Daley
http://jon.limedaley.com
~~
"I think that too much media in the hands of one powerful entity
or one individual is a mistake. I think it runs counter to the
foundation of our country. I think it runs counter to the need
for Americans to know that they are getting news and information
from multiple sources that are not singularly controlled."
-- John Kerry, June 2004


More information about the pLog-svn mailing list