View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0017294||phplist application||Interface - Administrator||public||10-08-14 17:08||09-10-14 14:25|
|Target Version||3.0.9||Fixed in Version||3.0.9|
|Summary||0017294: List name is corrupted when it contains an & character|
|Description||A list name that includes an & character gets corrupted with further & characters each time that the list is edited and saved.|
e.g list name "test M&S" becomes "test M & amp;S" (I have put some spaces in to try to stop Mantis from mangling the text).
Looking at file admin/editlist.php a function removeXss() is called on the list name. Function removeXss() calls htmlspecialchars(), so the list name then has been html escaped, and is stored like that in the database.
When the list is edited, the list name is html escaped again, in file admin/editlist.php, which seems to lead to the corruption.
This appears an odd approach and wondered whether it has been left-over from the past. Searching for the user of removeXss() shows that it is used only on a few fields:
subscribe page title
and some filter fields when searching for a user.
removeXss() is not used on other fields, such as a message subject.
Input fields should be validated when necessary but htmlspecialchars() should be called when outputting the field value from the database, not on input.
|Tags||No tags attached.|