Wiki source for Mod026bDoubleDoubleQuoteInsecurity
==== Wikka Mod 026 ====
Type: Bug Fix
----
===Credit:===
**[[http://web.archive.org/web/20040810214724/http://www.wakkawiki.com/JoeD | Joe Delaney]]**
[[http://web.archive.org/web/20040804174320/http://www.rci.rutgers.edu/~jpd/wakka/SomeChanges | http://www.rci.rutgers.edu/~jpd/wakka/SomeChanges]] //(archived)//
----
==Double Double-quote insecurity==
It was possible to insert xhtml or other escaped code using double double-quotes. This has been stopped by changing
formatters/wakka.php line to use htmlspecialchars.
More changes along this line might be necessary, with htmlspecialchars() being used or (url encoding) any time text is passed straight through the formatter (urls into a link, for example).
Change:
return $matches[1];
to
return htmlspecialchars($matches[1]);
**formatters/wakka.php**
%%(php)
// escaped text
else if (preg_match("/^\"\"(.*)\"\"$/s", $thing, $matches))
{
return htmlspecialchars($matches[1]);
}
%%
Type: Bug Fix
----
===Credit:===
**[[http://web.archive.org/web/20040810214724/http://www.wakkawiki.com/JoeD | Joe Delaney]]**
[[http://web.archive.org/web/20040804174320/http://www.rci.rutgers.edu/~jpd/wakka/SomeChanges | http://www.rci.rutgers.edu/~jpd/wakka/SomeChanges]] //(archived)//
----
==Double Double-quote insecurity==
It was possible to insert xhtml or other escaped code using double double-quotes. This has been stopped by changing
formatters/wakka.php line to use htmlspecialchars.
More changes along this line might be necessary, with htmlspecialchars() being used or (url encoding) any time text is passed straight through the formatter (urls into a link, for example).
Change:
return $matches[1];
to
return htmlspecialchars($matches[1]);
**formatters/wakka.php**
%%(php)
// escaped text
else if (preg_match("/^\"\"(.*)\"\"$/s", $thing, $matches))
{
return htmlspecialchars($matches[1]);
}
%%
