View Issue Details

IDProjectCategoryView StatusLast Update
0019113phpList 3 applicationAll Otherpublic24-05-18 21:01
PriorityhighSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
PlatformLinuxOSFedoraOS Version26
Product Version3.3.2-RC3 
Target Version3.3.4Fixed in Version3.3.3 
Summary0019113: Subscribe page text attribute value is corrupted due to removeXss()
TagsNo tags attached.



20-04-18 09:41

administrator   ~0060445



20-04-18 13:28

administrator   ~0060446

@xheni What about the preferences page? This does not appear to affect the problem when updating preferences via links links like: lists/?p=preferences&uid=d9d1210076982e38f22502a5c9f2a215

In the attached screenshot the attribute value was set using code from your branch (fix-corrupted-attributes).

Selection_400.png (92,048 bytes)
Selection_400.png (92,048 bytes)


20-04-18 15:51

administrator   ~0060448

Sorry for the misunderstanding. The changes that I made affect the subscriber details (?page=user) because the attributes were also corrupted there.
So the code before was basically calling:
This leads to double-encoding since the data is already encoded before.
We can do context-aware escaping instead, which will work. So we have two cases:
<input value=”foo”>
In this case we have two different cases that we need to escape, for the input field it is all “ so that nobody can do something like “><script>alert(1)</script>. If we remove all “ and replace that with the htmlentities version &#x22; .
For textarea the data is however in another structure. It needs to escape < and > with > and <
I'm working on the preferences page now that I understand it better where I need to do the changes and I will update soon.