Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escape title value in edit subscribe page #549

Merged
merged 1 commit into from Jun 7, 2019

Conversation

Projects
None yet
2 participants
@xh3n1
Copy link
Member

commented May 31, 2019

Description

Escape $title value in insert query.

Related Issue

https://mantis.phplist.org/view.php?id=19969

Escape title value in edit subscribe page
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
@samtuke
Copy link
Contributor

left a comment

Is this value already unescaped every time it is retrieved?

@xh3n1

This comment has been minimized.

Copy link
Member Author

commented May 31, 2019

@samtuke no, only in this query.

@samtuke

This comment has been minimized.

Copy link
Contributor

commented Jun 7, 2019

@xh3n1 I'm still concerned that this will add escape characters which never get removed. Escaped literal characters should never be visible to users, but if the title of subscribe pages have escape chars inserted, and you have not added any corresponding function to remove them when the value is loaded again, surely users will see them?

@xh3n1

This comment has been minimized.

Copy link
Member Author

commented Jun 7, 2019

This value is escaped in other places too such as here for subscribepage table

$tables['subscribepage'], sql_escape(strip_tags($title)), $owner, $id));
and here for subscribepage_data table: https://github.com/phpList/phplist3/blob/master/public_html/lists/admin/spageedit.php#L66. The value is escaped in the database, but "slashes" are not displayed to the user anyway as they are stripped.

@samtuke samtuke merged commit f4e02f2 into master Jun 7, 2019

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.