Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decode htmlentities in emails and logs #144

Closed
Technical-13 opened this issue Mar 7, 2014 · 4 comments
Closed

Decode htmlentities in emails and logs #144

Technical-13 opened this issue Mar 7, 2014 · 4 comments

Comments

@Technical-13
Copy link
Contributor

It's real annoying (and I'm sure confusing to new users) to see escaped entities in emails and in the logs on the requests... I understand escaping for the purpose of the database, but these things should be decoded before being displayed and sent in emails. I'm assuming that we are throwing them in the db with http://us2.php.net/manual/en/function.htmlentities.php and as such, when we pull them back out we should be using http://us2.php.net/html_entity_decode
@stwalkerster
Copy link
Member

Actually, I am a) sorting this as part of the PDO cleanup, and b) that is
incorrect.

We should not be using either of those functions in ~95% of the places they
are used at the moment. The escaping we SHOULD be doing is limited to
a) pre-database quote escaping using mysql_real_escape_string() (for
legacy code only)
b) pre-html-display escaping using the |escape modifier or
htmlentites() (latter for legacy only).

Escaping has been a perennial problem for us, we've gone from escaping
everything in different amounts everywhere, leading to issues like the one
you're probably seeing (and data corruption), to no escaping in places
leading to XSS holes or SQL injection points.

As part of the PDO cleanup, I'm writing scripts to clean up and fix the
database, but I've only done the ban table properly so far.
On 7 Mar 2014 12:46, "Donald J. Fortier II" notifications@github.com
wrote:

It's real annoying (and I'm sure confusing to new users) to see escaped
entities in emails and in the logs on the requests... I understand escaping
for the purpose of the database, but these things should be decoded before
being displayed and sent in emails. I'm assuming that we are throwing them
in the db with http://us2.php.net/manual/en/function.htmlentities.php and
as such, when we pull them back out we should be using
http://us2.php.net/html_entity_decode

Reply to this email directly or view it on GitHubhttps://github.com//issues/144
.

@FunPika
Copy link
Contributor

FunPika commented Mar 7, 2014

Where exactly are you seeing this? This is probably someone double escaping or forgetting an html_entity_decode somewhere in legacy code.

@Technical-13
Copy link
Contributor Author

quot in email

@stwalkerster stwalkerster added this to the After Zurich milestone Apr 11, 2014
@stwalkerster stwalkerster modified the milestone: After Zurich Jan 17, 2016
@stwalkerster stwalkerster added this to Needs reproduction in oldinternal Jun 13, 2017
@stwalkerster
Copy link
Member

Fixed in newinternal

@stwalkerster stwalkerster removed this from Needing triage in oldinternal Jun 14, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@FunPika @stwalkerster @Technical-13