View Issue Details

IDProjectCategoryView StatusLast Update
0017294phplist applicationInterface - Administratorpublic09-10-14 15:25
Reporterduncanc 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.0.6 
Target Version3.0.9Fixed in Version3.0.9 
Summary0017294: List name is corrupted when it contains an & character
DescriptionA list name that includes an & character gets corrupted with further & characters each time that the list is edited and saved.
e.g list name "test M&S" becomes "test M & amp;S" (I have put some spaces in to try to stop Mantis from mangling the text).

Looking at file admin/editlist.php a function removeXss() is called on the list name. Function removeXss() calls htmlspecialchars(), so the list name then has been html escaped, and is stored like that in the database.

When the list is edited, the list name is html escaped again, in file admin/editlist.php, which seems to lead to the corruption.

This appears an odd approach and wondered whether it has been left-over from the past. Searching for the user of removeXss() shows that it is used only on a few fields:
template title
subscribe page title
list name
and some filter fields when searching for a user.

removeXss() is not used on other fields, such as a message subject.

Input fields should be validated when necessary but htmlspecialchars() should be called when outputting the field value from the database, not on input.
TagsNo tags attached.

Activities

There are no notes attached to this issue.