Not signed in ( Sign In)

Categories

Welcome, Guest

Want to take part in these discussions? Sign in if you have an account, or apply for one below

Vanilla 1.1.10 is a product of Lussumo. More Information: Documentation, Community Support.

    •  
      CommentAuthorpierovdfn
    • CommentTimeSep 5th 2010
     permalink
    Hi, I don't know if it is dangerous but there is a little bug (maybe not a bug).
    If I put
    " onload="alert('Ciao');
    as comment author, it's not escaped and in comment name field the onload attribute is added.
    It's annoying if someone insert $name variable in the title of a link or for example in avatar image ALT attribute.
    I don't know if it is a problem, however users can use escape on comment block in template.
    •  
      CommentAuthorNoWhereMan
    • CommentTimeSep 5th 2010
     permalink
    does this happen in SVN as well?
    •  
      CommentAuthorpierovdfn
    • CommentTimeSep 5th 2010 edited
     permalink
    Posted By: NoWhereMandoes this happen in SVN as well?

    Yes.
    There is a backslash in Author Field (also with 0.909.1, too).
    This isn't so serious because it adds an attribute only for the single user but it become serious if you insert {$name} in an attribute in comments block.
    I think your blog is affected, too, because you insert {$name} as alt and as title of gravatar image ;-)
    •  
      CommentAuthorNoWhereMan
    • CommentTimeSep 5th 2010 edited
     permalink
    that's quite nasty. Since there is no point in saving such fields in a non-sanitized manner, all of the comment fields are now run through htmlspecialchars() in SVN.
    funny enough, NoWhereLand was not affected, I don't remember why, but it could be because of akismet
    •  
      CommentAuthorpierovdfn
    • CommentTimeSep 5th 2010 edited
     permalink
    Posted By: NoWhereManthat's quite nasty. Since there is no point in saving such fields in a non-sanitized manner, all of the comment fields are now run through htmlspecialchars() in SVN.
    funny enough, NoWhereLand was not affected, I don't remember why, but it could be because of akismet

    I tried to guess it, I wasn't shure and It could be :-)
    VDFN is not affected, too because I've used
    alt="Avatar di {$name|escape}"