Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
3.0.x
-
None
Description
I'll use the wiki BBCode to illustrate my example.
Lets say you have the following BBCode:
[wiki={TOKEN}]{TEXT}[/wiki]
|
and HTML replacement:
<a href="http://wiki.phpbb.com/{TOKEN}">{TEXT}</a>
|
The problem here is that with the existing tokens:
{TEXT} - Any text, including foreign characters, numbers, etc... {SIMPLETEXT} - Characters from the latin alphabet (A-Z), numbers, spaces, commas, dots, minus, plus, hyphen and underscore {IDENTIFIER} - Characters from the latin alphabet (A-Z), numbers, hyphen and underscore {NUMBER} - Any series of digits {EMAIL} - A valid e-mail address {URL} - A valid URL using any protocol (http, ftp, etc... cannot be used for javascript exploits). {LOCAL_URL} - A local URL. The URL must be relative to the topic page.- A HTML colour
It is not possible to safely use a URL that contains anchors (#) or forward slashes. i.e. only {TEXT}
would currently allow it.
If there could be an additional token to use that would include the following:
- Characters from the latin alphabet (A-Z), numbers, dots, minus, plus, underscore, ampersand, question (debatable), colon, forward slash.
While percent would be nice to have, I think hackers would agree.
Chars I believe need to be specifically avoided: percent, semi-colon, two successive dots, two successive forward slashes.
Attachments
Issue Links
- duplicates
-
-
- Closed
-