Quam Plures

Merge lp:~quam-plures-core/quam-plures/posting_xhtml-fixes into lp:quam-plures

  1. posting_xhtml-fixes
  2. Merge into trunk
Proposed by Tilman Blumenbach
Status: Merged
Merged at revision: 7604
Proposed branch: lp:~quam-plures-core/quam-plures/posting_xhtml-fixes
Merge into: lp:quam-plures
Diff against target: 406 lines (+186/-76)
4 files modified
qp_inc/_core/_misc.funcs.php (+4/-13)
qp_inc/_core/_param.funcs.php (+107/-47)
qp_inc/xhtml_validator/_xhtml_validator.class.php (+72/-14)
qp_srvc/comment_post.php (+3/-2)
To merge this branch: bzr merge lp:~quam-plures-core/quam-plures/posting_xhtml-fixes
Reviewer Review Type Date Requested Status
EdB Approve
Tilman Blumenbach (community) Needs Resubmitting
Yabs security-check Pending
Review via email: mp+64326@code.launchpad.net

Description of the change

Discussion: http://forums.quamplures.net/viewtopic.php?f=11&t=809
---------------------

This branch cleans up some of the mess that posting and validating XHTML in QP currently is.

For example, this branch allows using HTML comments (<!-- ... -->) when posting (that was not possible until now). However, blog comments may not contain HTML comments -- they are converted to visible HTML (i. e. &lt;-- ... --&gt;). While HTML comments make sense in posts, I don't think that's the case for blog comments. It would just confuse users not familiar with HTML.

An important fix I incorporated into this branch is that all XHTML needs to be well-formed: Unclosed comments etc. are rejected. In the past, you could post blog comments simply containing "<!--", which would comment out everything after the blog comment (i. e. the rest of the page). Not good at all (shhh, I didn't tell you that!).

Finally, remember bug 736035? The fix we committed back then certainly works, but it's ugly. This branch has a better solution: Processing instructions (<?foo ... ?>) in posts are allowed as long as they contain valid XHTML (however, comments cannot contain processing instructions). Let me explain:

Something like "<?<a><script>alert(0)</script>" (from the POC) would fail because it's not well-formed. But even if you make it well-formed ("<?foo <script>alert(0)</script> ?>") our XHTML parser would detect the forbidden <script> tag. Hah! Gotcha!

In other words, something like "<?foo <a href="http://google.com">Goooooooogle</a> ?>" is fine, but dangerous processing instructions like that one above are not. After all, processing instructions *could* be useful for some users.

Of course, that violates the XML spec. Processing instructions contain application-specific data so strictly speaking, we cannot assume that data to be XHTML. Well, if we don't, we make it possible to perform XSS attacks.

A clean solution would be to disallow processing instructions completely, but what if somebody finds a legitimate use for them? I don't want to restrict users.

To post a comment you must log in.
Revision history for this message
EdB (edb) wrote :

Possiubly unrelated to this branch, and excuse me for not checking, but there are some really simple things I wanted to fix regarding xhtml trans and strict. I wonder if you'd mind adding them if they are not in this branch?

Simple stuff, and I'll find a file. Attributes get added to an image that are not xhtml strict even though 10 lines above a check is made for "if strict do it this way", and then the image tags get closed with "/>" instead of " />". It involves a minor style change and (again) I can't recall exactly why.

Anyway if you're up for adding a potentially unrelated yet slightly related bit I'd be happy to try to find the right file and bits for you.

Revision history for this message
Tilman Blumenbach (tblue) wrote :

Sure, why not. Go ahead. :)

Revision history for this message
EdB (edb) wrote :

will do a forum thread due to it is easy to put code bits into that system than here ... although technically it is just copy/paste but the end result is easier to read is the thing :)

Revision history for this message
EdB (edb) wrote :

Finally downloading this branch. If I can remember how to make stuff run on localhost I'll get it tested today. If not I'll figure that stuff out today and get this branch tested tomorrow.

Revision history for this message
EdB (edb) wrote :

Finally tried a test on this and I don't see where it fails, but I don't see what gain we get from it. Specifically, I tried posting some php code and nothing happened. Which sort of makes sense given that spitting out the item's content is part of what the server does, but it doesn't revisit the content to see if new instructions exist.

<?php echo "http://localhost/branches_from_others/posting_xhtml-fixes/media/blogs/id_1/waterfall.jpg"; ?> doesn't post the image - it just gets ignored.

Adding some text then a comment then some text worked, but each bit of text got wrapped in it's own P tag.

hello world! <!-- this is a comment -->how's it going? created 2 paragraphs is what I mean. I'm not sure that is what a user would expect when adding an inline comment ya know?

As I said I don't see a problem, but I'm also not sure I see the gain. Other than the "shhh!" issue, which clearly needed to be fixed. Can you show me a case where enabling code in posts actually works? Even if it isn't very realistic (like php to pop in an image), just something that shows how it is a gain.

Gonna leave this as a comment instead of approving because I'm a bit worried that somehow we might have bit ourselves in the ass. Hopefully Yabs can look at it from a security angle cuz I pretty much can't. Malicious mean-spirited code is much more a Yabs thing ;) And if Yabs is okay with this branch then I have no objection and will gladly do the merge thing.

Revision history for this message
EdB (edb) wrote :

OT: you tinkered in an area I have a heavy tinker in, so it is going to kill me to make it be "mine" again. The html_sanity_check function is where I added a bit for one day going to xhtml(trans,strict) and/or html5. Such is life eh? Hopefully I'll be able to deal with it smartly later on :)

Revision history for this message
Tilman Blumenbach (tblue) wrote :

> <?php echo "http://localhost/branches_from_others/posting_xhtml-fixes/media/blogs/id_1/waterfall.jpg"; ?> doesn't post the image - it just gets ignored.

Yes, but that's not my fault. The PHP code isn't actually parsed, it's treated as HTML and since that's invalid HTML, you don't see an image. You'd have to use an ordinary <img> tag for that, as usual. It's always been this way.

So what's the purpose of this branch? As you said, for one, it allows us to use comments. Fine, the plugin that makes the <p> tags seems to have its problems with that, I guess I'll have to fix it: Comments should be ignored completely.

Additionally, this branch implements a cleaner fix for the security vulnerability issue we had a while ago. Back then, we basically disallowed everything looking like "<? ... ?>". I think that's bad as such constructs may -- theoretically -- be of use to somebody out there. So what I did is to allow such constructs, but only if they are safe.

Okay, let yabs look at it, I wanted him to do that anyway. ;)

Revision history for this message
EdB (edb) wrote :

The P tag thing isn't mission-critical but if it seems an easy fix that'd be cool.

My only concern is that I don't know how to look for security issues that might (but probably haven't) been opened up. I got now in my head a great idea: if Yabs can't get to this before I go back out on the road I'll do the merge thing. That's a couple of days unless I find something that doesn't involve going out on the road, but in that case it'll still be a couple of days cuz it's easier than actually trying to plan :)

Revision history for this message
Tilman Blumenbach (tblue) wrote :

I will look at the <p> tag issue now.

Revision history for this message
EdB (edb) wrote :

I just remembered that the original creative commons plugin used an html comment to trigger the renderer, so I did a v000 install and added a comment inline. It allowed the comment AND broke the paragraph around it. So this P tag behavior is not a new thing.

In the CC plugin the licensing went at the end so no one noticed that it split content around it.

Revision history for this message
Tilman Blumenbach (tblue) wrote :

I think I have fixed the <p> tag issue. Maybe it's not a perfect solution, but it seems to work. I hope it works together with other plugins, too.

review: Needs Resubmitting
Revision history for this message
Tilman Blumenbach (tblue) wrote :

Well, now it's messing up HTML comments spanning multiple lines.

I feel that the Auto-P plugin needs an overhaul, it's messy. :(

Revision history for this message
EdB (edb) wrote :

For what it's worth, I'd say leave it as-is for now since the observed behavior (undesirable though it may be) is not induced by this branch. I just happened to notice it when testing.

I may be wrong, but there have been problems observed with Auto-P ever since forever. Especially when it comes time to interact with other rendering plugins. Hoo boy does that ever get messy, and you can often change symptoms by changing plugin priority numbers.

Revision history for this message
Tilman Blumenbach (tblue) wrote :

Good, then let's merge this, it kinda works anyway. Let's hope nobody uses multiline HTML comments in the near future.

Revision history for this message
Tilman Blumenbach (tblue) wrote :

I will look at making the Auto-P plugin work correctly soon... So many things to do: Anti-CSRF tokens (aka nonces), fixing Auto-P... *cough*

lp:~quam-plures-core/quam-plures/posting_xhtml-fixes updated
7617. By Tilman Blumenbach

Reverted changes to Auto-P plugin, will fix it in another branch

7618. By Tilman Blumenbach

Merged trunk

Revision history for this message
EdB (edb) wrote :

24 hour warning!

If anyone has any desire to further test this branch please do so asap! I doubt they have a truck for me but they might, so I might be on the road again soon. That means I need to get this merge done even though I personally don't know how to really really REALLY test it for possible undesirable side effects. It works and Tblue knows what he's doing, but heck we've burned ourselves before so ... anyway I'd love to see someone else test this branch but if not it'll get merged in 24 hours (more or less).

Revision history for this message
Yabs (yabs) wrote :

Bugger, I'll attempt to check this within 24 hours .. tad hectic here atm though

If I don't make the deadline then take my (cursory) glance at code as "approved" .. tblue usually knows what he's on about

¥

Revision history for this message
EdB (edb) wrote :

I thought for sure I put an approved on this, but obviously not.

I'll do the dracones branch now, and wait the rest of today for Yabs to take a look. Else I'll merge this one this evening (MTZ).

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'qp_inc/_core/_misc.funcs.php'
2--- qp_inc/_core/_misc.funcs.php 2011-01-31 22:13:02 +0000
3+++ qp_inc/_core/_misc.funcs.php 2011-06-20 11:14:51 +0000
4@@ -2645,11 +2645,6 @@
5 case 'imgtag':
6 $r = '<img src="'.$rsc_url.$icon['file'].'" ';
7
8- if( !$use_strict )
9- { // Include non CSS fallbacks - transitional only:
10- $r .= 'border="0" align="top" ';
11- }
12-
13 // Include class (will default to "icon"):
14 if( ! isset( $params['class'] ) )
15 {
16@@ -2659,7 +2654,7 @@
17 }
18 else
19 {
20- $params['class'] = '';
21+ $params['class'] = 'middle';
22 }
23 }
24
25@@ -2686,7 +2681,7 @@
26 $r .= get_field_attribs_as_string( $params, false );
27
28 // Close tag:
29- $r .= '/>';
30+ $r .= ' />';
31
32
33 if( $include_in_legend && ( $IconLegend = & get_IconLegend() ) )
34@@ -2702,11 +2697,7 @@
35
36 $r = '<img src="'.$rsc_url.$blank_icon['file'].'" ';
37
38- // TODO: dh> add this only for !$use_strict, like above?
39- // Include non CSS fallbacks (needed by bozos... and basic template):
40- $r .= 'border="0" align="top" ';
41-
42- // Include class (will default to "noicon"):
43+ // Include class (will default to "no_icon"):
44 if( ! isset( $params['class'] ) )
45 {
46 if( isset($icon['class']) )
47@@ -2735,7 +2726,7 @@
48 $r .= get_field_attribs_as_string( $params, false );
49
50 // Close tag:
51- $r .= '/>';
52+ $r .= ' />';
53
54 return $r;
55 /* BREAK */
56
57=== modified file 'qp_inc/_core/_param.funcs.php'
58--- qp_inc/_core/_param.funcs.php 2011-03-16 14:56:32 +0000
59+++ qp_inc/_core/_param.funcs.php 2011-06-20 11:14:51 +0000
60@@ -1626,12 +1626,15 @@
61 * It is NOT (necessarily) safe to use the output.
62 *
63 * @param string The content to format
64- * @param string
65+ * @param string Context: "posting", "xmlrpc_posting" or "commenting"
66 * @param integer Create automated <br /> tags?
67 * @param string Encoding (used for XHTML_Validator only!); defaults to $io_charset
68+ * @param boolean When "posting" or "xmlrpc_posting", should comments be converted to
69+ * visible HTML? Forced to true when "commenting".
70 * @return boolean|string
71 */
72-function check_html_sanity( $content, $context = 'posting', $autobr = false, $encoding = NULL )
73+function check_html_sanity( $content, $context = 'posting', $autobr = false,
74+ $encoding = NULL, $escape_comments = false )
75 {
76 global $use_balanceTags, $admin_url;
77 global $io_charset, $use_xhtmlvalidation_for_comments, $comment_allowed_tags, $comments_allow_css_tweaks;
78@@ -1679,10 +1682,12 @@
79
80 $error = false;
81
82+ // NOTE: These RegExps match NameStartChar and NameChar, but exclude
83+ // higher characters (i. e. UTF-8). That's pure laziness: FIXME.
84 // Replace any & that is not a character or entity reference with &amp;
85 $content = preg_replace( '/&(?!#[0-9]+;|#x[0-9a-fA-F]+;|[a-zA-Z_:][a-zA-Z0-9._:-]*;)/', '&amp;', $content );
86- // Fix for smileys like LOVE <3 (and other situations with '<' before a number).
87- $content = preg_replace( '#<([0-9])#', '&lt;$1', $content );
88+ // Escape any '<'s that are not used in a valid manner:
89+ $content = preg_replace( '#<(?![!?/]|[a-zA-Z_:][a-zA-Z0-9._:-]*)#', '&lt;', $content );
90
91 // ANTISPAM check:
92 if( ! $bypass_antispam
93@@ -1719,6 +1724,30 @@
94 $content = balance_tags( $content );
95 }
96
97+ if( $context == 'commenting' || $escape_comments )
98+ { // Comments, processing instructions etc. are not allowed when commenting.
99+ $content = str_replace( array(
100+ // Comments, CDATA sections and various declarations.
101+ // Declarations end with a single '>' which makes it hard
102+ // to correctly detect their closing tags. Thus, we don't
103+ // even try to do that (FIXME).
104+ '<!',
105+ // Closing comments
106+ '-->',
107+ // Closing CDATA sections
108+ ']]>',
109+ // Processing instructions
110+ '<?',
111+ '?>',
112+ ), array(
113+ '&lt;!',
114+ '--&gt;',
115+ ']]&gt;',
116+ '&lt;?',
117+ '?&gt;',
118+ ), $content );
119+ }
120+
121 if( $xhtmlvalidation )
122 { // We want to validate XHTML:
123 load_class( 'xhtml_validator/_xhtml_validator.class.php' );
124@@ -1739,49 +1768,80 @@
125 { // DEPRECATED but still...
126 $content = strip_tags( $content, $comment_allowed_tags );
127 }
128-
129- // Security checking:
130- $check = $content;
131- // Open comments or '<![CDATA[' are dangerous
132- $check = str_replace('<!', '<', $check);
133- // # # are delimiters
134- // i modifier at the end means caseless
135-
136- // CHECK Styling restictions:
137- if( ! $allow_css_tweaks
138- && preg_match( '#\s((style|class|id)\s*=)#i', $check, $matches) )
139- {
140- $Messages->add( T_('Illegal CSS markup found: ').htmlspecialchars($matches[1]), 'error' );
141- $error = true;
142- }
143-
144- // CHECK JAVASCRIPT:
145- if( ! $allow_javascript
146- && ( preg_match( '¤( < \s* //? \s* (script|noscript) )¤xi', $check, $matches )
147- || preg_match( '#\s((on[a-z]+)\s*=)#i', $check, $matches )
148- // action=, background=, cite=, classid=, codebase=, data=, href=, longdesc=, profile=, src=, usemap=
149- || preg_match( '#=["\'\s]*((javascript|vbscript|about):)#i', $check, $matches ) ) )
150- {
151- $Messages->add( T_('Illegal javascript markup found: ').htmlspecialchars($matches[1]), 'error' );
152- $error = true;
153- }
154-
155- // CHECK IFRAMES:
156- if( ! $allow_iframes
157- && preg_match( '¤( < \s* //? \s* (frame|iframe) )¤xi', $check, $matches) )
158- {
159- $Messages->add( T_('Illegal frame markup found: ').htmlspecialchars($matches[1]), 'error' );
160- $error = true;
161- }
162-
163- // CHECK OBJECTS:
164- if( ! $allow_objects
165- && preg_match( '¤( < \s* //? \s* (applet|object|param|embed) )¤xi', $check, $matches) )
166- {
167- $Messages->add( T_('Illegal object markup found: ').htmlspecialchars($matches[1]), 'error' );
168- $error = true;
169- }
170-
171+ else if( ! $escape_comments
172+ && preg_match_all( '#(?:<!--|<!\[CDATA\[|<\?)#i', $content, $matches, PREG_OFFSET_CAPTURE ) )
173+ { // We are posting an item, try an el-cheapo check for unclosed
174+ // comments, processing instructions etc.
175+ // Declarations end with a single '>' which is hard to detect
176+ // correctly, so we don't try to validate them here. In theory,
177+ // this may be an issue, but apparently, it's not a big threat.
178+ static $search = array(
179+ '<!--' => '-->',
180+ '<![CDATA[' => ']]>',
181+ '<?' => '?>',
182+ );
183+
184+ $last_offset = 0;
185+ foreach( $matches[0] as $m )
186+ {
187+ list( $text, $this_offset ) = $m;
188+ if( $this_offset < $last_offset )
189+ {
190+ continue;
191+ }
192+
193+ $last_offset = strpos( $content, $search[$text], $this_offset + strlen( $text ) );
194+ if( $last_offset === false )
195+ {
196+ $Messages->add( T_( 'XML document not well-formed, are there unclosed comments or processing instructions?' ), 'error' );
197+ $error = true;
198+ break;
199+ }
200+
201+ $last_offset += strlen( $search[$text] );
202+ }
203+ }
204+
205+ if( ! $error )
206+ { // No error yet?
207+ // TODO: Remove useless assignment.
208+ $check = $content;
209+
210+ // CHECK Styling restictions:
211+ if( ! $allow_css_tweaks
212+ && preg_match( '#\s((style|class|id)\s*=)#i', $check, $matches) )
213+ {
214+ $Messages->add( T_('Illegal CSS markup found: ').htmlspecialchars($matches[1]), 'error' );
215+ $error = true;
216+ }
217+
218+ // CHECK JAVASCRIPT:
219+ if( ! $allow_javascript
220+ && ( preg_match( '¤( < \s* //? \s* (script|noscript) )¤xi', $check, $matches )
221+ || preg_match( '#\s((on[a-z]+)\s*=)#i', $check, $matches )
222+ // action=, background=, cite=, classid=, codebase=, data=, href=, longdesc=, profile=, src=, usemap=
223+ || preg_match( '#=["\'\s]*((javascript|vbscript|about):)#i', $check, $matches ) ) )
224+ {
225+ $Messages->add( T_('Illegal javascript markup found: ').htmlspecialchars($matches[1]), 'error' );
226+ $error = true;
227+ }
228+
229+ // CHECK IFRAMES:
230+ if( ! $allow_iframes
231+ && preg_match( '¤( < \s* //? \s* (frame|iframe) )¤xi', $check, $matches) )
232+ {
233+ $Messages->add( T_('Illegal frame markup found: ').htmlspecialchars($matches[1]), 'error' );
234+ $error = true;
235+ }
236+
237+ // CHECK OBJECTS:
238+ if( ! $allow_objects
239+ && preg_match( '¤( < \s* //? \s* (applet|object|param|embed) )¤xi', $check, $matches) )
240+ {
241+ $Messages->add( T_('Illegal object markup found: ').htmlspecialchars($matches[1]), 'error' );
242+ $error = true;
243+ }
244+ }
245 }
246
247 if( $error )
248
249=== modified file 'qp_inc/xhtml_validator/_xhtml_validator.class.php'
250--- qp_inc/xhtml_validator/_xhtml_validator.class.php 2011-03-16 14:56:32 +0000
251+++ qp_inc/xhtml_validator/_xhtml_validator.class.php 2011-06-20 11:14:51 +0000
252@@ -55,14 +55,24 @@
253 var $stack = array();
254 var $last_checked_pos;
255 var $error;
256+
257+ var $allow_css_tweaks;
258+ var $allow_iframes;
259+ var $allow_javascript;
260+ var $allow_objects;
261
262 /**
263 * Constructor
264 *
265 * {@internal This gets tested in _libs.misc.simpletest.php}}
266 *
267- * @param string
268- * @param string Input encoding to use ('ISO-8859-1', 'UTF-8', 'US-ASCII' or '' for auto-detect)
269+ * @param string Context: "posting", "xmlrpc_posting" or "commenting"
270+ * @param boolean Allow the "style" attribute to be used?
271+ * @param boolean Allow using the <iframe> tag?
272+ * @param boolean Allow using the <script> and <noscript> tags?
273+ * @param boolean Allow using the <object> and <embed> tags?
274+ * @param string Input encoding to use ('ISO-8859-1', 'UTF-8', 'US-ASCII' or ''/NULL for auto-detect)
275+ * @param string Message category for error messages
276 */
277 function XHTML_Validator( $context = 'posting', $allow_css_tweaks = false, $allow_iframes = false, $allow_javascript = false, $allow_objects = false, $encoding = NULL, $msg_type = 'error' )
278 {
279@@ -71,6 +81,10 @@
280 require $inc_path.'xhtml_validator/_xhtml_dtd.inc.php';
281
282 $this->context = $context;
283+ $this->allow_css_tweaks = $allow_css_tweaks;
284+ $this->allow_iframes = $allow_iframes;
285+ $this->allow_javascript = $allow_javascript;
286+ $this->allow_objects = $allow_objects;
287
288 switch( $context )
289 {
290@@ -137,6 +151,7 @@
291 xml_set_element_handler($this->parser, 'tag_open', 'tag_close');
292 // set function to call for the actual data
293 xml_set_character_data_handler($this->parser, 'cdata');
294+ xml_set_processing_instruction_handler( $this->parser, 'pi_handler' );
295
296 xml_parser_set_option($this->parser, XML_OPTION_CASE_FOLDING, false);
297 }
298@@ -166,12 +181,6 @@
299 }
300 }
301
302- // Remove special tokens:
303- // "<!": Open comments or '<![CDATA[' are dangerous.
304- // "<?": Processing instructions allow an attacker to inject arbitrary HTML.
305- // (LP bug #736035).
306- $xhtml = str_replace( array( '<!', '<?' ), '', $xhtml );
307-
308 $xhtml_head = '<?xml version="1.0"';
309 if( ! empty($this->encoding) )
310 {
311@@ -207,9 +216,30 @@
312 $xml_error_string .= ' near <code>'.htmlspecialchars( evo_substr( $xhtml, $this->last_checked_pos, $pos-$this->last_checked_pos+20 ) ).'</code>';
313
314 $this->html_error( T_('Parser error: ').$xml_error_string );
315- }
316-
317- return $this->isOK();
318+ return false;
319+ }
320+
321+ if( ! $this->isOK() )
322+ { // Error occurred while parsing, abort early.
323+ return false;
324+ }
325+
326+ // Everything seems to be okay, but the document may not have been
327+ // parsed completely (caused by unclosed comments and/or processing
328+ // instructions). We detect this by checking whether the tags are balanced;
329+ // this is the case only if the whole document has been parsed.
330+ // Note that we enclose the user-supplied data in <body> tags so
331+ // that nothing malicious can be injected after the closing <body>
332+ // tag -- if that would be possible, all tags would be balanced
333+ // but there could still be malicious data...
334+ if( ! empty( $this->stack ) )
335+ {
336+ $this->html_error( T_( 'XML document not well-formed, are there unclosed comments or processing instructions?' ) );
337+ return false;
338+ }
339+
340+ // This is a valid XML document! Congratulations!
341+ return true;
342 }
343
344
345@@ -306,9 +336,37 @@
346 array_pop($this->stack);
347 }
348
349-/**
350- * dummy docblock makes error-free autodocs
351- */
352+ /**
353+ * Called when the parser finds a processing instruction.
354+ *
355+ * We try to check the contents of the instruction for safe XHTML.
356+ */
357+ function pi_handler( $parser, $target, $data )
358+ {
359+ $this->last_checked_pos = xml_get_current_byte_index( $this->parser );
360+
361+ // If previous tag is illegal, no point in running tests
362+ $previous = $this->stack[count( $this->stack ) - 1];
363+ if( ! in_array( $previous, array_keys( $this->tags ) ) )
364+ {
365+ return;
366+ }
367+
368+ // This is ugly but seems to be the best way. Just parse the data as
369+ // it were XHTML.
370+ $validator = new XHTML_Validator( $this->context, $this->allow_css_tweaks,
371+ $this->allow_iframes, $this->allow_javascript,
372+ $this->allow_objects, $this->encoding, $this->msg_type );
373+ if( ! $validator->check( $data ) )
374+ {
375+ $this->html_error( sprintf( T_( 'Invalid data in processing instruction <code>&lt;?%s</code> (see above)' ),
376+ htmlspecialchars( $target ) ) );
377+ }
378+ }
379+
380+ /**
381+ * dummy docblock makes error-free autodocs
382+ */
383 function html_error( $string )
384 {
385 global $Messages;
386
387=== modified file 'qp_srvc/comment_post.php'
388--- qp_srvc/comment_post.php 2010-12-31 12:12:03 +0000
389+++ qp_srvc/comment_post.php 2011-06-20 11:14:51 +0000
390@@ -165,7 +165,8 @@
391 // TODO: AutoBR should really be a "comment renderer" (like with Items)
392 // OLD stub: $comment = format_to_post( $comment, $comment_autobr, 1 ); // includes antispam
393 $saved_comment = $comment;
394-$comment = check_html_sanity( $comment, $perm_comment_edit ? 'posting' : 'commenting', $comment_autobr );
395+$comment = check_html_sanity( $comment, $perm_comment_edit ? 'posting' : 'commenting',
396+ $comment_autobr, NULL, true /* escape comments */ );
397 if( $comment === false )
398 { // ERROR
399 $comment = $saved_comment;
400@@ -399,4 +400,4 @@
401 header_redirect(); // Will save $Messages into Session
402
403
404-?>
405\ No newline at end of file
406+?>

Subscribers

People subscribed via source and target branches