View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0019113 | phpList 3 application | General | public | 16-03-18 09:54 | 24-05-18 21:01 |
Reporter | Assigned To | ||||
Priority | high | Severity | minor | Reproducibility | have not tried |
Status | resolved | Resolution | fixed | ||
Platform | Linux | OS | Fedora | OS Version | 26 |
Product Version | 3.3.2-RC3 | ||||
Target Version | 3.3.4 | Fixed in Version | 3.3.3 | ||
Summary | 0019113: Subscribe page text attribute value is corrupted due to removeXss() | ||||
Description | See https://github.com/phpList/phplist3/issues/264#issuecomment-373473456 | ||||
Tags | No tags attached. | ||||
|
PR: https://github.com/phpList/phplist3/pull/296 |
|
@xheni What about the preferences page? This does not appear to affect the problem when updating preferences via links links like: lists/?p=preferences&uid=d9d1210076982e38f22502a5c9f2a215 In the attached screenshot the attribute value was set using code from your branch (fix-corrupted-attributes). |
|
Sorry for the misunderstanding. The changes that I made affect the subscriber details (?page=user) because the attributes were also corrupted there. So the code before was basically calling: htmlspecialchars($foo) This leads to double-encoding since the data is already encoded before. We can do context-aware escaping instead, which will work. So we have two cases: <input value=”foo”> <textarea>foo</textarea> In this case we have two different cases that we need to escape, for the input field it is all “ so that nobody can do something like “><script>alert(1)</script>. If we remove all “ and replace that with the htmlentities version " . For textarea the data is however in another structure. It needs to escape < and > with > and < I'm working on the preferences page now that I understand it better where I need to do the changes and I will update soon. |