[dev] [commits] Horde branch master updated. d255d66a6a8ace592e3a058e455f628cc6aa1faa

Michael M Slusarz slusarz at horde.org
Fri Jul 16 16:52:38 UTC 2010


Quoting Chuck Hagenbuch <chuck at horde.org>:

> Quoting Michael M Slusarz <slusarz at horde.org>:
>
>> Quoting Jan Schneider <jan at horde.org>:
>>
>>> Zitat von Michael M Slusarz <slusarz at horde.org>:
>>>
>>>> Quoting Jan Schneider <jan at horde.org>:
>>>>
>>>>> commit d255d66a6a8ace592e3a058e455f628cc6aa1faa
>>>>> Author: Jan Schneider <jan at horde.org>
>>>>> Date:   Tue Jan 26 23:59:41 2010 +0100
>>>>>
>>>>> Revert "Too many htmlspecialchars in link() for title attribute"
>>>>>
>>>>> This reverts commit c92729ed228294b9d29b8a0e73be90e06ff45ab7.
>>>>>
>>>>> This broke tags that are not properly encoded in title tag  
>>>>> anymore, if being used for tooltips, e.g. in the nag portal block.
>>>>>
>>>>> framework/Core/lib/Horde.php |    5 +++--
>>>>> 1 files changed, 3 insertions(+), 2 deletions(-)
>>>>>
>>>>> http://git.horde.org/diff.php/framework/Core/lib/Horde.php?rt=horde-git&r1=13879630963e68a2bfe3f85e37082bd6d5ac6631&r2=d255d66a6a8ace592e3a058e455f628cc6aa1faa
>>>>
>>>> But now this re-breaks tags that ARE properly encoded - such as  
>>>> tooltip display of e-mail addresses in IMP (imp/mailbox.php).   
>>>> Why isn't this fixed in nag instead?
>>>
>>> Counter question: what was changed in IMP so that the tooltips no  
>>> longer work without that change?
>>> The problem that I see is, that removing that htmlspecialchars()  
>>> where it was expected to be in the past, potentially opens all  
>>> kind of XSS vulnerabilties, unless we go through every single  
>>> link() call and check if the content is properly encoded.
>>> I'm not saying that we shouldn't do this, but just changing link()  
>>> and fixing issues where we see them popping up, makes us vulnerable.
>>
>> Bringing this up from a long time ago... but this is still broken.   
>> Because it is impossible to display an ampersand in the title  
>> attribute.
>>
>> e.g. calling Horde::link('', 'A & B', ...)
>>
>> will produce a tag like the following:
>>
>> <a ... title="A &amp;amp; B" ...>
>>
>> instead of the proper "A &amp; B" title.  This is broken behavior.
>>
>> I stand by my previous fix.  At the very least, I need input on how  
>> I can get this to output correctly if I am still thought to be wrong.
>
> What about using something like escapeOnce() from Horde_View_Helper_Tag?

It seems a bit hackish... but it works.  And I am still unclear about  
why double htmlescaping the entire string is "safer" than single  
escaping, but I will trust Jan when he says this is necessary.  So  
I've added the preg regex to replace the double encoded entities to  
Horde::link().

michael

-- 
___________________________________
Michael Slusarz [slusarz at horde.org]



More information about the dev mailing list