#1452 Wiki : Pages can't be named with "#", "&" or """


Up to now this is the only problem reported due to the
1.8.2-new variable testing of SQL metacharacters in
tiki-setup_base.php :

The error is like:

Invalid variable value : page = BPFK Checkpoint:
Letterals #1

If you're trying to edit or create a page named "BPFK
Checkpoint: Letterals #1"

This comes from this line of code :

$patterns['string'] = "/^[^<>\";&#]*$/"; // find, and
such extended chars

This can and will effect anywhere a GET parameter
contains those characters.
"the protection can probably be enhanced, just nobody
complained up to now. The detail of the security issue
is on http://www.gulftech.org/04112004.php (chapter
cross site
scripting). "

Here's the full topic on tikiwiki-devel, thanks to Robin :


  • Oliver Hertel

    Oliver Hertel - 2004-05-18
    • status: open --> closed-rejected
  • Oliver Hertel

    Oliver Hertel - 2004-05-18

    Logged In: YES

    That's a feature, not a bug. You wouldn't be able to call
    these pages, because # and & are used by browsers to
    reference sections in pages and transfer parameters to
    the server. #1 would get eaten by the browser, trying to
    adress a block like <a name="1"> inside the page, and
    &test would be eaten by the web server, trying to extra a
    parameter called test from the url.

  • Philippe Cloutier

    • status: closed-rejected --> open-accepted
  • Kolja Sulimma

    Kolja Sulimma - 2004-08-08

    Logged In: YES

    I have a site that has pages that contain quotation marks
    that where added with an earlier version of tiki.

    As these were not converted when upgrading, this is a bug
    and not a feature. You can decide whether it is a bug in
    tiki or in the upgrade script.

    As there is no script to convert my 1.8.3 database back to
    1.8.1 I would need at least a way of renaming these pages.
    (The 'rename' obviously button doesn't work)

    But I agree with chealer that proper url encoding should
    fix the problem.

    To see the bug in action click on the only search result on
    this page:

  • Philippe Cloutier

    • priority: 5 --> 6
    • milestone: 392507 --> v1.8.4
  • Damian Parker

    Damian Parker - 2004-08-26
    • status: open-accepted --> closed-rejected
  • Philippe Cloutier

    • priority: 6 --> 5
    • status: closed-rejected --> open
  • Philippe Cloutier

    Logged In: YES

    This bug is still not adressed.


Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks