Wikka Mod 026
Type: Bug FixCredit:
Joe Delaneyhttp://www.rci.rutgers.edu/~jpd/wakka/SomeChanges (archived)
Double Double-quote insecurity
It was possible to insert xhtml or other escaped code using double double-quotes. This has been stopped by changingformatters/wakka.php line to use htmlspecialchars.
More changes along this line might be necessary, with htmlspecialchars() being used or (url encoding) any time text is passed straight through the formatter (urls into a link, for example).
Change:
return $matches[1];
to
return htmlspecialchars($matches[1]);
formatters/wakka.php
// escaped text
else if (preg_match("/^\"\"(.*)\"\"$/s", $thing, $matches))
{
return htmlspecialchars($matches[1]);
}
else if (preg_match("/^\"\"(.*)\"\"$/s", $thing, $matches))
{
return htmlspecialchars($matches[1]);
}