Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9420

BBCode - Unable to use a proper URI token


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.x
    • Fix Version/s: 3.0.13-RC1, 3.1.0-b1
    • Component/s: Other
    • Labels:


      I'll use the wiki BBCode to illustrate my example.

      Lets say you have the following BBCode:


      and HTML replacement:

      <a href="http://wiki.phpbb.com/{TOKEN}">{TEXT}</a>

      The problem here is that with the existing tokens:

      {TEXT} - Any text, including foreign characters, numbers, etc... {SIMPLETEXT} - Characters from the latin alphabet (A-Z), numbers, spaces, commas, dots, minus, plus, hyphen and underscore {IDENTIFIER} - Characters from the latin alphabet (A-Z), numbers, hyphen and underscore {NUMBER} - Any series of digits {EMAIL} - A valid e-mail address {URL} - A valid URL using any protocol (http, ftp, etc... cannot be used for javascript exploits). {LOCAL_URL} - A local URL. The URL must be relative to the topic page.
      - A HTML colour

      It is not possible to safely use a URL that contains anchors (#) or forward slashes. i.e. only {TEXT}

      would currently allow it.
      If there could be an additional token to use that would include the following:


      - Characters from the latin alphabet (A-Z), numbers, dots, minus, plus, underscore, ampersand, question (debatable), colon, forward slash.

      While percent would be nice to have, I think hackers would agree.
      Chars I believe need to be specifically avoided: percent, semi-colon, two successive dots, two successive forward slashes.


          Issue Links



              • Assignee:
                nickvergessen Joas Schilling
                Highway of Life David Lewis [X] (Inactive)
              • Votes:
                1 Vote for this issue
                1 Start watching this issue


                • Created: