$HTML_SUBST problem in displayecard.php $HTML_SUBST problem in displayecard.php
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

$HTML_SUBST problem in displayecard.php

Started by Titooy, December 23, 2005, 02:08:39 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Titooy

since $HTML_SUBST contains '&' => '&', all the &xxx; characters are broken in displayecard.php because of line 43foreach($data as $key => $value) $data[$key] = strtr($value, $HTML_SUBST);

kat-long

When you click on the ecard the link that takes you to the gallery, if you used an apostrophe in your title of message, it gets replaced with '
Try it it: http://206.125.210.89/cpg148/displayimage.php?album=3&pos=2

Sami

you are right
"Alternate link if the e-card does not display correctly" will send you to displaycard.php and here we have " instead of " (every special charcter get filtered)
I think it's a bug
‍I don't answer to PM with support question
Please post your issue to related board

Clanger

Yes, I've noticed this too, it's not just the apostrophe, these characters are also a problem  "  &  <  >.

Doesn't matter where they appear, in the subject line, message body or sender name, always get switched.

Only a problem when viewed via displayecard.php.


Tranz

In displayecard.php:

FIND:
foreach($data as $key => $value) $data[$key] = strtr($value, $HTML_SUBST);


REPLACE with:
foreach($data as $key => $value) $data[$key] = html_entity_decode(strtr($value, $HTML_SUBST));


Since the encoding is a security feature, I'll need another dev to confirm it is okay to decode the html entities before committing the fix to svn.

Tranz

Merged two threads reporting the same issue. :)

Joachim Müller

Hm, this has to be considered thoroughly indeed: a link can only make it into those fields using bbcode, so we have to rely on the bbcode mechamisms to make sure no malevolent link can make it into the output. Imo, the code fix you suggested should go into the core, as there's nothing particularly different in ecards than in any other regular coppermine page that outputs user input on a page.
Yes, Thu: please go ahead and commit.

Tranz

Fix committed to svn in stable and devel branches.

Nibbler

html_entity_decode() is a PHP 4.3 function, you can't use that without raising the minimum requirements.

You can use

strtr($value, array_flip($HTML_SUBST));

instead.