|
|
PR: https://github.com/phpList/phplist3/pull/296 |
|
|
@xheni What about the preferences page? This does not appear to affect the problem when updating preferences via links links like: lists/?p=preferences&uid=d9d1210076982e38f22502a5c9f2a215 In the attached screenshot the attribute value was set using code from your branch (fix-corrupted-attributes). Selection_400.png (92,048 bytes) |
|
|
Sorry for the misunderstanding. The changes that I made affect the subscriber details (?page=user) because the attributes were also corrupted there. So the code before was basically calling: htmlspecialchars($foo) This leads to double-encoding since the data is already encoded before. We can do context-aware escaping instead, which will work. So we have two cases: <input value=”foo”> <textarea>foo</textarea> In this case we have two different cases that we need to escape, for the input field it is all “ so that nobody can do something like “><script>alert(1)</script>. If we remove all “ and replace that with the htmlentities version " . For textarea the data is however in another structure. It needs to escape < and > with > and < I'm working on the preferences page now that I understand it better where I need to do the changes and I will update soon. |
- Anonymous
