Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-9420

BBCode - Unable to use a proper URI token

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • 3.0.13-RC1, 3.1.0-b1
    • 3.0.x
    • Other
    • None

      I'll use the wiki BBCode to illustrate my example.

      Lets say you have the following BBCode:

      [wiki={TOKEN}]{TEXT}[/wiki]

      and HTML replacement:

      <a href="http://wiki.phpbb.com/{TOKEN}">{TEXT}</a>

      The problem here is that with the existing tokens:

      {TEXT} - Any text, including foreign characters, numbers, etc... {SIMPLETEXT} - Characters from the latin alphabet (A-Z), numbers, spaces, commas, dots, minus, plus, hyphen and underscore {IDENTIFIER} - Characters from the latin alphabet (A-Z), numbers, hyphen and underscore {NUMBER} - Any series of digits {EMAIL} - A valid e-mail address {URL} - A valid URL using any protocol (http, ftp, etc... cannot be used for javascript exploits). {LOCAL_URL} - A local URL. The URL must be relative to the topic page.
      - A HTML colour

      It is not possible to safely use a URL that contains anchors (#) or forward slashes. i.e. only {TEXT}

      would currently allow it.
      If there could be an additional token to use that would include the following:

      {URI_STRING}

      - Characters from the latin alphabet (A-Z), numbers, dots, minus, plus, underscore, ampersand, question (debatable), colon, forward slash.

      While percent would be nice to have, I think hackers would agree.
      Chars I believe need to be specifically avoided: percent, semi-colon, two successive dots, two successive forward slashes.

            nickvergessen Joas Schilling
            Highway of Life David Lewis [X] (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: