View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0019113||phpList 3 application||General||public||16-03-18 09:54||24-05-18 22:01|
|Priority||high||Severity||minor||Reproducibility||have not tried|
|Target Version||3.3.4||Fixed in Version||3.3.3|
|Summary||0019113: Subscribe page text attribute value is corrupted due to removeXss()|
|Tags||No tags attached.|
@xheni What about the preferences page? This does not appear to affect the problem when updating preferences via links links like: lists/?p=preferences&uid=d9d1210076982e38f22502a5c9f2a215
In the attached screenshot the attribute value was set using code from your branch (fix-corrupted-attributes).
Sorry for the misunderstanding. The changes that I made affect the subscriber details (?page=user) because the attributes were also corrupted there.
So the code before was basically calling:
This leads to double-encoding since the data is already encoded before.
We can do context-aware escaping instead, which will work. So we have two cases:
In this case we have two different cases that we need to escape, for the input field it is all “ so that nobody can do something like “><script>alert(1)</script>. If we remove all “ and replace that with the htmlentities version " .
For textarea the data is however in another structure. It needs to escape < and > with > and <
I'm working on the preferences page now that I understand it better where I need to do the changes and I will update soon.