Serendipity Forums

User and developer community
https://board.s9y.org/

Fix for BBCode bug when legitimate ',%()' in url

https://board.s9y.org/viewtopic.php?t=5281

Page 1 of 1

Fix for BBCode bug when legitimate ',%()' in url

Posted: Fri Apr 28, 2006 7:21 pm
by Leif Erlingsson
Fix for BBCode bug when legitimate ',%()' in url
http://blog.lege.net/serendipity_event_bbcode.php.patch.txt wrote: THIS IS http://blog.lege.net/serendipity_event_ ... .patch.txt

A PATCH FOR UP TO AT LEAST serendipity-0.9.1 (still latest stable
as of April 28, 2006) THAT MAKES THE BBCode PLUGIN ACCEPT MORE
COMMONLY USED URL's WITH THE url= TAG. IT DIDN'T ACCEPT ',%()'
IN URL:s AND MANY OF THE SITES I COMMONLY WISH TO LINK TO USE THESE
CHARACTERS IN THE URL-NAMES! HENCE THIS PATCH:

* Save this file as serendipity_event_bbcode.php.patch

* Copy this file to the root of your Serendipity installation

* Execute:

cp -p plugins/serendipity_event_bbcode/serendipity_event_bbcode.php \
plugins/serendipity_event_bbcode/serendipity_event_bbcode.php-the_old_version

patch -p0 < serendipity_event_bbcode.php.patch

* THAT'S ALL - IT ALREADY WORKS! VISIT THE FILES AND SEE THE CHANGES, ETC:

cd plugins/serendipity_event_bbcode

diff serendipity_event_bbcode.php-the_old_version \
serendipity_event_bbcode.php


*** plugins/serendipity_event_bbcode/serendipity_event_bbcode.php~ Sun Oct 2 23:47:56 2005
--- plugins/serendipity_event_bbcode/serendipity_event_bbcode.php Fri Apr 28 18:37:34 2006
*************** class serendipity_event_bbcode extends s
*** 150,157 ****
// Only allow strings occuring in emails: .-_@, 0-9, a-z
static $pattern_mail = '([\.\-\+~@_0-9a-z]+?)';

! // Only allow strings occuring in URLs: &;?:.-_@/, 0-9, a-z
! static $pattern_url = '([@!=~\?:&;0-9a-z#\.\-_\/]+?)';

// Disallow possibly evil HTML characters which may lead to Javascript XSS: '"();
static $pattern_query = '([^"\'\(\);]+?)';
--- 150,157 ----
// Only allow strings occuring in emails: .-_@, 0-9, a-z
static $pattern_mail = '([\.\-\+~@_0-9a-z]+?)';

! // Only allow strings occuring in URLs: &;?:.-_@/,%(), 0-9, a-z
! static $pattern_url = '([@!=~\?:&;0-9a-z#\.\-_\/,%\(\)]+?)';

// Disallow possibly evil HTML characters which may lead to Javascript XSS: '"();
static $pattern_query = '([^"\'\(\);]+?)';
DOWNLOAD THE PATCH FROM http://blog.lege.net/serendipity_event_ ... .patch.txt - DON'T try to cut-paste!

Re: Fix for BBCode bug when legitimate ',%()' in url

Posted: Fri Apr 28, 2006 7:48 pm
by garvinhicking
Hi!

First off, many thanks for sharing your patch!

However, please do not crosspost into different topics! I deleted your other posting for clarity.

I also committed your fix for "%". The "," was already allowed in the 1.0 versions of Serendipity The "(" and ")" characters actually are not allowed in URLs, they would need to be replaced with the %xx equivalents. I did not add them to not introduce possible javascript:(...) URL XSS injections.

Best regards,
Garvin

','

Posted: Fri Apr 28, 2006 9:50 pm
by Leif Erlingsson
First off - sorry to have crossposted, I supposed it was the proper thing to do since this concerned both a plugin and a bug in said plugin, but you are right, better to have one single thread, so sorry again.

It's great to hear that the ',' was already in the 1.0. And even better that the '%' is now also there!

As for the ( ), I'm sure you are right, but then there need to be code for rewriting such URLs, because they do exist. Examples:

Code: Select all

http://stallman.org/archives/2005-nov-feb.html#12%20January%202006%20(Spanish%20government)
- that's what my browser gives to me when I get the URL from the site, so naturally that's the URL I'd feed into the [url=. So If you can't accept ( ) then you need to code so user-entered ( ) are converted like you suggest.

In my opinion, of course.

OTOH, this doesn't work in this forum either:

Here's that link again, just pasted in the forum: http://stallman.org/archives/2005-nov-f ... overnment)

And agin, this time in an [url=construct: http://stallman.org/archives/2005-nov-feb.html#12%20January%202006%20(Spanish%20government)

==> The forum didn't like the ( ) either. Perhaps it's RMS that is in error? :)

PS: I updated my patch so it DOESN'T allow the () anymore.

Posted: Fri Apr 28, 2006 10:07 pm
by Leif Erlingsson
PS: I updated my patch so it DOESN'T allow the () anymore. It should now be safe to use: http://blog.lege.net/serendipity_event_ ... .patch.txt

+

Posted: Sat Apr 29, 2006 5:28 pm
by Leif Erlingsson
ONE MORE BUG:

My patch (see http://blog.lege.net/serendipity_event_ ... .patch.txt ) is again updated: It now accepts also '+' in URL:s. These are very common in search query-url:s, like Google queries.

// Leif

Re: +

Posted: Sat Apr 29, 2006 5:39 pm
by garvinhicking
Hi!

Yes, you are right. Good spotted :) I also committed this to our repository! Many thanks,
Garvin
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited