Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
esotalk topic [img] xss vulnerability #401
$str = mb_convert_encoding($str, 'UTF-8', 'UTF-8'); $str = htmlentities($str, ENT_QUOTES, 'UTF-8');
One problem with proposed solutions is, as far as I can tell,
From glancing over the function, it seems like the simple way to solve this is to reorder the processing of BBCode so that images are processed before URLs. Then modify the regex of the [img] tag to check for valid protocols such as http/https at the beginning. I think this would prevent nesting of [img] tags, and then the URL parser would only run on URLs that are not wrapped in html.
I will do some testing on some solutions for this. I think the better way to solve this would be to replace the plugin with some 3rd party BBCode parser but that probably won't happen.