Quam Plures

Merge lp:~tblue/quam-plures/bug13_fix_credits_disp into lp:quam-plures

  1. bug13_fix_credits_disp
  2. Merge into trunk
Proposed by Tilman Blumenbach
Status: Merged
Merged at revision: 7634
Proposed branch: lp:~tblue/quam-plures/bug13_fix_credits_disp
Merge into: lp:quam-plures
Diff against target: 137 lines (+22/-19)
2 files modified
qp_templates/_credits.disp.php (+11/-10)
qp_templates/basic/_credits.disp.php (+11/-9)
To merge this branch: bzr merge lp:~tblue/quam-plures/bug13_fix_credits_disp
Reviewer Review Type Date Requested Status
Lee Turner (community) Approve
EdB Approve
Review via email: mp+74485@code.launchpad.net

Description of the change

Fixes http://bugs.quamplures.net/cgi-bin/show_bug.cgi?id=13 and adds missing format_to_output() calls to all the _credits.disp.php files in order to make sure that the template does not get messed up by a bad encoding etc and/or bad HTML.

To post a comment you must log in.
lp:~tblue/quam-plures/bug13_fix_credits_disp updated
7630. By Tilman Blumenbach

Merged trunk r7632

Revision history for this message
EdB (edb) wrote :

will get this done today (mtz)

Revision history for this message
EdB (edb) wrote :

Looks good, installs without issue, cures the common cold. Yay!

review: Approve
Revision history for this message
Lee Turner (leeturner) wrote :

I just have a few quick questions on this one:

Should we be formatting the output to allow all html or should we be restricting it to only allow a limited amount or none at all?

If it is to allow all html but not let it get messed up with bad encoding and/or bad html (as the description of the branch admittedly says) then all is cool and I can approve. However, I have just embedded a youtube video in the long description of a plugin which appears in the credits page via an iframe which seems a little wrong to me. I could embed anything in that iframe really.

Also, all of these things apply to the admin as well. None of the descriptions etc have the 'format_to_output' applied to them in the admin code. Admittedly it is not as bigger problem as the admin is limited in access but still - the youtube videos still display.

review: Needs Information
Revision history for this message
Lee Turner (leeturner) wrote :

I guess in summary, what I am asking is whether we should be doing:

format_to_output( $a_plugin->long_desc, 'entityencoded' )

so no html is allowed but just displayed as is?

L

review: Needs Information
Revision history for this message
Tilman Blumenbach (tblue) wrote :

The reason I chose 'htmlbody' for the output filter is that we use it in other places where we output plugin descriptions etc. as well, so I thought it was appropriate. Admittedly, it allows all HTML and only makes sure things like the charset are correct.

Of course it would be better to restrict the HTML tags that can be used -- not only on the credits page but in the admin interface as well. 'entityencoded' should work, let me check. I will change the code to use that filter if everything works.

Revision history for this message
EdB (edb) wrote :

What would be wrong with a youtube video in a template credit? Or a link or a list or an image? As long as it is properly formed and thus doesn't break the page, and as long as we're scrubbing for malicious intent I can't see why we would want to restrict. Well, other than restricting to what works inside a definition list since that is a current use of that info.

Revision history for this message
Tilman Blumenbach (tblue) wrote :

Hm. I figured that a template author can sneak in malicious content anyway. Same is true for plugin authors, just use the appropriate hook and output your bad HTML.

Revision history for this message
Tilman Blumenbach (tblue) wrote :

...so I guess using 'entityencoded' does not make that much sense after all...?

Revision history for this message
EdB (edb) wrote :

Hey wait. So ... what your saying is a bad person might take advantage of our hooks to do bad things? Like, they might just pop in through the wide open front door? And here I thought all we had to do was worry about then looking for sneaky back-door methods to do evil deeds.

:)

I'm quite happy with this branch as-is. We are sanitizing bits that should be, without worrying about OMG they might be evil ... not that concern is inappropriate.

OFF TOPIC: never mind I'll go off topic in a forum thread.

Revision history for this message
Lee Turner (leeturner) wrote :

Cool, just thought I would ask.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'qp_templates/_credits.disp.php'
2--- qp_templates/_credits.disp.php 2011-08-29 14:22:24 +0000
3+++ qp_templates/_credits.disp.php 2011-09-13 14:47:22 +0000
4@@ -10,7 +10,6 @@
5 * @copyright (c) 2010 by the Quam Plures developers - {@link http://quamplures.net/}
6 * @license http://quamplures.net/license.html GNU General Public License (GPL)
7 * @package templates
8- *
9 */
10 if( !defined('QP_MAIN_INIT') ) die( 'Please, do not access this page directly.' );
11
12@@ -33,11 +32,11 @@
13
14 foreach( $credits as $linkback )
15 {
16- echo '<dt>'.format_to_output( $linkback['pre'], 'htmlbody').'</dt>';
17- echo '<dd><a href="', $linkback['url'].'" title="';
18+ echo '<dt>'.format_to_output( $linkback['pre'], 'htmlbody' ).'</dt>';
19+ echo '<dd><a href="'.format_to_output( $linkback['url'], 'htmlattr' ).'" title="';
20 echo format_to_output( $linkback['title'], 'htmlattr' ).'">';
21 echo format_to_output( $linkback['text'], 'text' ).'</a></dd><dd>';
22- echo format_to_output( $linkback['post'], 'htmlbody')."</dd>\n";
23+ echo format_to_output( $linkback['post'], 'htmlbody' )."</dd>\n";
24 }
25
26 echo '</dl></dd>'."\n";
27@@ -59,19 +58,21 @@
28 $p_name = format_to_output( $a_plugin->name, 'htmlbody' );
29 if( $a_plugin->help_url != '' )
30 {
31- $p_name = '<a href="'.$a_plugin->help_url.'" title="'.T_('visit this plugins web page').'">'.$p_name.'</a>';
32+ $p_name = '<a href="'.format_to_output( $a_plugin->help_url, 'htmlattr' ).'" title="'.format_to_output( T_('visit this plugins web page'), 'htmlattr' ).'">'.$p_name.'</a>';
33 }
34
35 $a_name = format_to_output( $a_plugin->author, 'htmlbody' );
36 if( $a_plugin->author_url != '' )
37 {
38- $a_name = '<a href="'.$a_plugin->author_url.'" title="'.T_('visit the authors website').'">'.$a_name.'</a>';
39+ $a_name = '<a href="'.format_to_output( $a_plugin->author_url, 'htmlattr' ).'" title="'.format_to_output( T_('visit the authors website'), 'htmlattr' ).'">'.$a_name.'</a>';
40 }
41
42 $credits[ strtolower( $a_plugin->name ) ] = array(
43 'p_name' => $p_name,
44 'a_name' => $a_name,
45- 'desc' => $a_plugin->long_desc,
46+ // Looks like we usually allow HTML in plugin descriptions.
47+ // We still need to make sure no bad chars mess up the template/encoding.
48+ 'desc' => format_to_output( $a_plugin->long_desc, 'htmlbody' ),
49 );
50 }
51
52@@ -103,7 +104,7 @@
53 echo '<dd><dl>'."\n";
54 foreach( $_hic_sunt_dracones as $dracone )
55 {
56- echo '<dt><a href="'.$dracone['homepage'].'" title="';
57+ echo '<dt><a href="'.format_to_output( $dracone['homepage'], 'htmlattr' ).'" title="';
58 echo format_to_output( $dracone['homepage'], 'htmlattr' ).'">';
59 echo format_to_output( $dracone['name'], 'text' ).'</a></dt><dd>';
60 locale_flag( $dracone['locale'], 'h10px', 'leftmargin' );
61@@ -115,9 +116,9 @@
62 // Finally: QP's only linkback
63 if( isset( $Template ) )
64 {
65- echo '<dt>'.$Template->poweredby_linkback['pre'].':</dt>'."\n";
66+ echo '<dt>'.format_to_output( $Template->poweredby_linkback['pre'], 'htmlbody' ).':</dt>'."\n";
67 echo '<dd><dl>', "\n";
68- echo '<dt><a href="', $Template->poweredby_linkback['url'], '" title="';
69+ echo '<dt><a href="'.format_to_output( $Template->poweredby_linkback['url'], 'htmlattr' ).'" title="';
70 echo format_to_output( $Template->poweredby_linkback['title'], 'htmlattr' ), '">';
71 echo format_to_output( $Template->poweredby_linkback['text'], 'text' ), '</a></dt><dd>';
72 echo format_to_output( $Template->poweredby_linkback['post'], 'htmlbody'), "</dd>\n";
73
74=== modified file 'qp_templates/basic/_credits.disp.php'
75--- qp_templates/basic/_credits.disp.php 2011-08-29 14:22:24 +0000
76+++ qp_templates/basic/_credits.disp.php 2011-09-13 14:47:22 +0000
77@@ -38,11 +38,11 @@
78 echo '<dd><dl>'."\n";
79 foreach( $credits as $linkback )
80 {
81- echo '<dt>'.format_to_output( $linkback['pre'], 'htmlbody').'</dt>';
82- echo '<dd><a href="', $linkback['url'].'" title="';
83+ echo '<dt>'.format_to_output( $linkback['pre'], 'htmlbody' ).'</dt>';
84+ echo '<dd><a href="'.format_to_output( $linkback['url'], 'htmlattr' ).'" title="';
85 echo format_to_output( $linkback['title'], 'htmlattr' ).'">';
86 echo format_to_output( $linkback['text'], 'text' ).'</a></dd><dd>';
87- echo format_to_output( $linkback['post'], 'htmlbody')."</dd>\n";
88+ echo format_to_output( $linkback['post'], 'htmlbody' )."</dd>\n";
89 }
90 echo '</dl></dd>'."\n";
91 }
92@@ -63,19 +63,21 @@
93 $p_name = format_to_output( $a_plugin->name, 'htmlbody' );
94 if( $a_plugin->help_url != '' )
95 {
96- $p_name = '<a href="'.$a_plugin->help_url.'" title="'.T_('visit this plugins web page').'">'.$p_name.'</a>';
97+ $p_name = '<a href="'.format_to_output( $a_plugin->help_url, 'htmlattr' ).'" title="'.format_to_output( T_('visit this plugins web page'), 'htmlattr' ).'">'.$p_name.'</a>';
98 }
99
100 $a_name = format_to_output( $a_plugin->author, 'htmlbody' );
101 if( $a_plugin->author_url != '' )
102 {
103- $a_name = '<a href="'.$a_plugin->author_url.'" title="'.T_('visit the authors website').'">'.$a_name.'</a>';
104+ $a_name = '<a href="'.format_to_output( $a_plugin->author_url, 'htmlattr' ).'" title="'.format_to_output( T_('visit the authors website'), 'htmlattr' ).'">'.$a_name.'</a>';
105 }
106
107 $credits[ strtolower( $a_plugin->name ) ] = array(
108 'p_name' => $p_name,
109 'a_name' => $a_name,
110- 'desc' => $a_plugin->long_desc,
111+ // Looks like we usually allow HTML in plugin descriptions.
112+ // We still need to make sure no bad chars mess up the template/encoding.
113+ 'desc' => format_to_output( $a_plugin->long_desc, 'htmlbody' ),
114 );
115 }
116
117@@ -107,7 +109,7 @@
118 echo '<dd><dl>'."\n";
119 foreach( $_hic_sunt_dracones as $dracone )
120 {
121- echo '<dt><a href="'.$dracone['homepage'].'" title="';
122+ echo '<dt><a href="'.format_to_output( $dracone['homepage'], 'htmlattr' ).'" title="';
123 echo format_to_output( $dracone['homepage'], 'htmlattr' ).'">';
124 echo format_to_output( $dracone['name'], 'text' ).'</a></dt><dd>';
125 locale_flag( $dracone['locale'], 'h10px', 'leftmargin' );
126@@ -119,9 +121,9 @@
127 // Finally: QP's only linkback
128 if( isset( $Template ) )
129 {
130- echo '<dt>'.$Template->poweredby_linkback['pre'].':</dt>'."\n";
131+ echo '<dt>'.format_to_output( $Template->poweredby_linkback['pre'], 'htmlbody' ).':</dt>'."\n";
132 echo '<dd><dl>', "\n";
133- echo '<dt><a href="', $Template->poweredby_linkback['url'], '" title="';
134+ echo '<dt><a href="'.format_to_output( $Template->poweredby_linkback['url'], 'htmlattr' ).'" title="';
135 echo format_to_output( $Template->poweredby_linkback['title'], 'htmlattr' ), '">';
136 echo format_to_output( $Template->poweredby_linkback['text'], 'text' ), '</a></dt><dd>';
137 echo format_to_output( $Template->poweredby_linkback['post'], 'htmlbody'), "</dd>\n";

Subscribers

People subscribed via source and target branches