DOWNLOAD THE PATCH FROM http://blog.lege.net/serendipity_event_ ... .patch.txt - DON'T try to cut-paste!http://blog.lege.net/serendipity_event_bbcode.php.patch.txt wrote: THIS IS http://blog.lege.net/serendipity_event_ ... .patch.txt
A PATCH FOR UP TO AT LEAST serendipity-0.9.1 (still latest stable
as of April 28, 2006) THAT MAKES THE BBCode PLUGIN ACCEPT MORE
COMMONLY USED URL's WITH THE url= TAG. IT DIDN'T ACCEPT ',%()'
IN URL:s AND MANY OF THE SITES I COMMONLY WISH TO LINK TO USE THESE
CHARACTERS IN THE URL-NAMES! HENCE THIS PATCH:
* Save this file as serendipity_event_bbcode.php.patch
* Copy this file to the root of your Serendipity installation
* Execute:
cp -p plugins/serendipity_event_bbcode/serendipity_event_bbcode.php \
plugins/serendipity_event_bbcode/serendipity_event_bbcode.php-the_old_version
patch -p0 < serendipity_event_bbcode.php.patch
* THAT'S ALL - IT ALREADY WORKS! VISIT THE FILES AND SEE THE CHANGES, ETC:
cd plugins/serendipity_event_bbcode
diff serendipity_event_bbcode.php-the_old_version \
serendipity_event_bbcode.php
*** plugins/serendipity_event_bbcode/serendipity_event_bbcode.php~ Sun Oct 2 23:47:56 2005
--- plugins/serendipity_event_bbcode/serendipity_event_bbcode.php Fri Apr 28 18:37:34 2006
*************** class serendipity_event_bbcode extends s
*** 150,157 ****
// Only allow strings occuring in emails: .-_@, 0-9, a-z
static $pattern_mail = '([\.\-\+~@_0-9a-z]+?)';
! // Only allow strings occuring in URLs: &;?:.-_@/, 0-9, a-z
! static $pattern_url = '([@!=~\?:&;0-9a-z#\.\-_\/]+?)';
// Disallow possibly evil HTML characters which may lead to Javascript XSS: '"();
static $pattern_query = '([^"\'\(\);]+?)';
--- 150,157 ----
// Only allow strings occuring in emails: .-_@, 0-9, a-z
static $pattern_mail = '([\.\-\+~@_0-9a-z]+?)';
! // Only allow strings occuring in URLs: &;?:.-_@/,%(), 0-9, a-z
! static $pattern_url = '([@!=~\?:&;0-9a-z#\.\-_\/,%\(\)]+?)';
// Disallow possibly evil HTML characters which may lead to Javascript XSS: '"();
static $pattern_query = '([^"\'\(\);]+?)';
Fix for BBCode bug when legitimate ',%()' in url
-
Leif Erlingsson
- Posts: 4
- Joined: Fri Apr 28, 2006 7:06 pm
- Location: Tullinge, Botkyrka
- Contact:
Fix for BBCode bug when legitimate ',%()' in url
Fix for BBCode bug when legitimate ',%()' in url
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Fix for BBCode bug when legitimate ',%()' in url
Hi!
First off, many thanks for sharing your patch!
However, please do not crosspost into different topics! I deleted your other posting for clarity.
I also committed your fix for "%". The "," was already allowed in the 1.0 versions of Serendipity The "(" and ")" characters actually are not allowed in URLs, they would need to be replaced with the %xx equivalents. I did not add them to not introduce possible javascript:(...) URL XSS injections.
Best regards,
Garvin
First off, many thanks for sharing your patch!
However, please do not crosspost into different topics! I deleted your other posting for clarity.
I also committed your fix for "%". The "," was already allowed in the 1.0 versions of Serendipity The "(" and ")" characters actually are not allowed in URLs, they would need to be replaced with the %xx equivalents. I did not add them to not introduce possible javascript:(...) URL XSS injections.
Best regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
Leif Erlingsson
- Posts: 4
- Joined: Fri Apr 28, 2006 7:06 pm
- Location: Tullinge, Botkyrka
- Contact:
','
First off - sorry to have crossposted, I supposed it was the proper thing to do since this concerned both a plugin and a bug in said plugin, but you are right, better to have one single thread, so sorry again.
It's great to hear that the ',' was already in the 1.0. And even better that the '%' is now also there!
As for the ( ), I'm sure you are right, but then there need to be code for rewriting such URLs, because they do exist. Examples: - that's what my browser gives to me when I get the URL from the site, so naturally that's the URL I'd feed into the [url=. So If you can't accept ( ) then you need to code so user-entered ( ) are converted like you suggest.
In my opinion, of course.
OTOH, this doesn't work in this forum either:
Here's that link again, just pasted in the forum: http://stallman.org/archives/2005-nov-f ... overnment)
And agin, this time in an [url=construct: http://stallman.org/archives/2005-nov-feb.html#12%20January%202006%20(Spanish%20government)
==> The forum didn't like the ( ) either. Perhaps it's RMS that is in error?
It's great to hear that the ',' was already in the 1.0. And even better that the '%' is now also there!
As for the ( ), I'm sure you are right, but then there need to be code for rewriting such URLs, because they do exist. Examples:
Code: Select all
http://stallman.org/archives/2005-nov-feb.html#12%20January%202006%20(Spanish%20government)In my opinion, of course.
OTOH, this doesn't work in this forum either:
Here's that link again, just pasted in the forum: http://stallman.org/archives/2005-nov-f ... overnment)
And agin, this time in an [url=construct: http://stallman.org/archives/2005-nov-feb.html#12%20January%202006%20(Spanish%20government)
==> The forum didn't like the ( ) either. Perhaps it's RMS that is in error?
-
Leif Erlingsson
- Posts: 4
- Joined: Fri Apr 28, 2006 7:06 pm
- Location: Tullinge, Botkyrka
- Contact:
PS: I updated my patch so it DOESN'T allow the () anymore.
PS: I updated my patch so it DOESN'T allow the () anymore. It should now be safe to use: http://blog.lege.net/serendipity_event_ ... .patch.txt
-
Leif Erlingsson
- Posts: 4
- Joined: Fri Apr 28, 2006 7:06 pm
- Location: Tullinge, Botkyrka
- Contact:
+
ONE MORE BUG:
My patch (see http://blog.lege.net/serendipity_event_ ... .patch.txt ) is again updated: It now accepts also '+' in URL:s. These are very common in search query-url:s, like Google queries.
// Leif
My patch (see http://blog.lege.net/serendipity_event_ ... .patch.txt ) is again updated: It now accepts also '+' in URL:s. These are very common in search query-url:s, like Google queries.
// Leif
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: +
Hi!
Yes, you are right. Good spotted I also committed this to our repository! Many thanks,
Garvin
Yes, you are right. Good spotted
I also committed this to our repository! Many thanks,Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/