==== Wikka Mod 026 ====
Type: Bug Fix
----
===Credit:=== 
**[[http://web.archive.org/web/20040810214724/http://www.wakkawiki.com/JoeD | Joe Delaney]]**
[[http://web.archive.org/web/20040804174320/http://www.rci.rutgers.edu/~jpd/wakka/SomeChanges | http://www.rci.rutgers.edu/~jpd/wakka/SomeChanges]] //(archived)//
----

==Double Double-quote insecurity==
It was possible to insert xhtml or other escaped code using double double-quotes. This has been stopped by changing 
formatters/wakka.php line to use htmlspecialchars. 

More changes along this line might be necessary, with htmlspecialchars() being used or (url encoding) any time text is passed straight through the formatter (urls into a link, for example).


Change:
return $matches[1];
to
return htmlspecialchars($matches[1]);

**formatters/wakka.php**
%%(php)
		// escaped text
		else if (preg_match("/^\"\"(.*)\"\"$/s", $thing, $matches))
		{
			return htmlspecialchars($matches[1]);
		}

%%