Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9416

HTML entities in poll titles and options incorrectly re-encoded

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.x
    • Fix Version/s: 3.0.10-RC1
    • Component/s: phpBB 2.0 convertor
    • Labels:
      None

      Description

      HTML entities, like " or &, in poll titles and options incorrectly re-encoded, to like " or &.

        Activity

        Hide
        D¡cky Richard Foote [X] (Inactive) added a comment -

        phpBB2 htmlspecialchars the poll title and poll options when inserting into the database. The convertor htmlspecialcharing them again breaks them.

        Show
        D¡cky Richard Foote [X] (Inactive) added a comment - phpBB2 htmlspecialchars the poll title and poll options when inserting into the database. The convertor htmlspecialcharing them again breaks them.
        Hide
        D¡cky Richard Foote [X] (Inactive) added a comment -

        Patch to fix htmlspecialcharing of poll titles and poll options

        Show
        D¡cky Richard Foote [X] (Inactive) added a comment - Patch to fix htmlspecialcharing of poll titles and poll options
        Hide
        D¡cky Richard Foote [X] (Inactive) added a comment -

        Revised patch

        Show
        D¡cky Richard Foote [X] (Inactive) added a comment - Revised patch
        Hide
        bantu Andreas Fischer added a comment -

        It seems like not all version of the phpBB 2.0.x series htmlspecialchared the data involved. Thus, if you upgrade from such a version and do not apply htmlspecialchars(), you might end up with 'bad' data in the database.

        Because of this, the suggested patch can not be accepted as it is. We would have to come up with something that makes sure that the data is encoded, but not double-encoded.

        Show
        bantu Andreas Fischer added a comment - It seems like not all version of the phpBB 2.0.x series htmlspecialchared the data involved. Thus, if you upgrade from such a version and do not apply htmlspecialchars(), you might end up with 'bad' data in the database. Because of this, the suggested patch can not be accepted as it is. We would have to come up with something that makes sure that the data is encoded, but not double-encoded.
        Hide
        D¡cky Richard Foote [X] (Inactive) added a comment -

        It may be possible to add a version check.

        Would you give me an example of a version that does not htmlspecialchar the data involved? I checked several versions back to 2.0.1 and the ones I checked all htmlspecialchar the poll data involved in function prepare_post.

        Show
        D¡cky Richard Foote [X] (Inactive) added a comment - It may be possible to add a version check. Would you give me an example of a version that does not htmlspecialchar the data involved? I checked several versions back to 2.0.1 and the ones I checked all htmlspecialchar the poll data involved in function prepare_post.
        Hide
        rxu Ruslan Uzdenov added a comment -

        We could first do htnlspecialchars_decode on poll titles and options prior to utf8_htmlspecialchars them.
        htmlspecialchars_decode() is available only since PHP 5.1.0, so we should create phpbb wrapper function for that.

        Show
        rxu Ruslan Uzdenov added a comment - We could first do htnlspecialchars_decode on poll titles and options prior to utf8_htmlspecialchars them. htmlspecialchars_decode() is available only since PHP 5.1.0, so we should create phpbb wrapper function for that.
        Hide
        rxu Ruslan Uzdenov added a comment -

        The htmlspecialchars_decode() wrapper function already presents in includes/functions.php.

        Show
        rxu Ruslan Uzdenov added a comment - The htmlspecialchars_decode() wrapper function already presents in includes/functions.php.

          People

          • Assignee:
            rxu Ruslan Uzdenov
            Reporter:
            bonzon bonzon
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development