Re: [Phpslash-devel] yet more suggestions for .73...
Brought to you by:
joestewart,
nhruby
Menu
▾
▴
Re: [Phpslash-devel] yet more suggestions for .73...
|
From: Luis M <le...@ho...> - 2003-05-11 19:23:46
|
Hi,
>
>On Sat, 10 May 2003, Luis M wrote:
>
> >
> > ummm it seems that posting code to an article causes phpslash to parse
>the
> > code. This makes yet another suggestion for the future release:
> >
> > #. Do not parse code coming from articles.
> >
> > Things like having $php variables, or {VAR} containers for templates...
>They
> > should all be escaped if the text comes from an article. That could
> > potentially eliminate all types of cross-site scripting and sql-code
> > injection that <i>might</i> be lurking in the phpslash code...
> >
>
>Can you please give a very specific example what exactly you did to
>discover this (including html/exttrans/plain settings, phpversion,
>phpslash version, os version, browser, and a step-by-step regression)
>Does this happen every time? If so I'd like to fix this and get it out
>pronto.
I believe this is the same for all versions of phpslash since 0.62 up to
0.72rc1:
1. Go to the Admin section
2. Hit "new" to add a new story
3. Try to add a story that contains Perl code with hashes defined like:
$myhas{td} . etc...
The {td} part of the hashes will mess up the article badly when previewing.
In fact, the whole page gets mumble with all kinds of crazy things. What I
do to fix that is adding spaces between the curly-braces.
I don't think this affects the server directly, nor have I try to inject any
type of code to the database. In other words, I'm assuming this cannot be
done and have not tried. In any case, only the users with Admin rights can
add news to the site. So, nothing to worry (right?).
However, I believe that the stories (the text coming from the database to be
displayed as stories) should not be parse as if it was a template or as if
dynamic PHP code was coming from the database... That could create problems.
(It creates problems for people who have sites publishing code, as I do :-)
)
----)(-----
Luis Mondesi
System Administrator
LatinoMixed.com
le...@ho...
"...The Mac does this so smoothly, it feels like an extension of your mind."
- Paula Speer, MacWorld Magazine 2003-04
Public signature: http://www.latinomixed.com/lems1/public-a.asc
_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
|
