Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
3.2.7
-
None
Description
Investigating this user's post revealed what appears to be an unexpected change: https://www.phpbb.com/community/viewtopic.php?f=556&t=2511531
In phpBB 3.2.7 (and presumably phpBB 3.2.6 as well), any new or existing BBCode which attempts to use {TEXT} inside an HTML tag attrubute simply no longer works; or more specifically, generates corrupt BBCode replacement output.
Minimal example: Create a BBCode defined as:
[test={URL}]{TEXT}[/test]
|
with it's replacement HTML defined as:
<a href="{URL}" alt="{TEXT}">{TEXT}</a> |
When saving this BBCode definition, phpBB presents the following caution: "Warning: The BBCode you are trying to add seems to use a {TEXT} token inside a HTML attribute. This is a possible XSS security issue. Try using the more restrictive {SIMPLETEXT} or {INTTEXT} types instead. Only proceed if you understand the risks involved and you consider the use of {TEXT} absolutely unavoidable. [Yes] [Cancel]"
So it allows you to proceed with saving the current definition, even in phpBB 3.2.7. And in phpBB 3.2.5 and earlier, this would result in a successful BBCode.
But in phpBB 3.2.7, attempting to utilize the above example BBCode using:
[test=http://ea117.com]Test[/test] |
results in an HTML rendering of only "Test</a>". As though the BBCode's replacement HTML definition was just "{TEXT}</a>", instead of "<a href="{URL}" alt="{TEXT}">{TEXT}</a>" as defined.
A guess is that the updated se9/text-formatter library is now directly or indirectly rejecting the attempt to use this "unsafe" input in the HTML attribute. And that there may be two ways to proceed here: Make the BBCode system honor BBCodes that were working in phpBB 3.2.5 and earlier; or to update this warning, the documentation, and the database upgrade process itself to account for the fact that such BBCode definitions simply aren't allowed any more.