Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AdoDbPager - htmlSpecialChars setting are ignored on rendering #968

Closed
1 task done
bblemm opened this issue May 8, 2023 · 1 comment
Closed
1 task done

AdoDbPager - htmlSpecialChars setting are ignored on rendering #968

bblemm opened this issue May 8, 2023 · 1 comment
Assignees
@dregad
Labels
bug
Milestone
v5.22.6

Comments

@bblemm
Copy link
Contributor

bblemm commented May 8, 2023
edited

Description

Currently on deactivating "htmlSpecialChars" the html code is always escaped.
In the fix #850 was the function parameter $htmlspecialchars check removed before execute htmlspecialchars() on variable.

Environment

  • ADOdb version: 5.22.5
  • Driver or Module: mysqli
  • Database type and version: MariaDB 10.6
  • PHP version: 8.1
  • Platform: debian
  • I have tested that the problem is reproducible in the latest release

Steps to reproduce

$sql = 'Select "this<br>is<br>html<br>code" as htmlCode';
$pager = new AdoDbPager($conn, $sql);
$pager->htmlSpecialChars = false;
$pager->Render();

Expected behavior

Add $htmlspecialchars check befor use htmlspecialchars() on variable.
@bblemm bblemm added the triage New issues not yet reviewed by ADOdb developers label May 8, 2023
bblemm added a commit to bblemm/ADOdb that referenced this issue May 8, 2023
@bblemm
ADOdb#968 add checking htmlspecialchars setting
d276968
@dregad dregad added bug and removed triage New issues not yet reviewed by ADOdb developers labels May 12, 2023
@dregad dregad added this to the v5.22.6 milestone May 12, 2023
@dregad dregad self-assigned this May 12, 2023
@dregad dregad linked a pull request May 12, 2023 that will close this issue
#968 add checking htmlspecialchars setting #969
Closed
@dregad
Copy link
Member

dregad commented May 12, 2023

Confirmed regression introduced by commit bda6e1e.

Thanks for the pull request @bblemm .

2 remarks, independent from the bug

  • AdoDbPager, I guess you actually meant ADODB_Pager ? Or is that a custom class of yours ?

  • I don't know if you just used the Pager for demonstrating the problem, but if not I would strongly advise against setting $pager->htmlSpecialChars = false; unless you have full confidence about the underlying data, as this leaves you vulnerable to cross-site-scripting (XSS) attacks. Try it:

    $sql = "select 'XSS <script>alert(\"p4wned\")</script>' as htmlCode";

@dregad dregad closed this as completed in 93fa678 May 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dregad dregad

Labels
bug
Projects
None yet
Milestone
v5.22.6
Development

Successfully merging a pull request may close this issue.

#968 add checking htmlspecialchars setting bblemm/ADOdb
2 participants
@dregad @bblemm