07-12-2012, 08:10 AM
Is there any reason why MyBB saves the user's web field using htmlspecialchars() inside the escape_string()?
Sorry for this noob question
Sorry for this noob question
07-12-2012, 08:37 PM
It's done twice in case one of them fails.
Oh, and the & character is evil - surely no website of concern has one of those buggers..
Oh, and the & character is evil - surely no website of concern has one of those buggers..
07-13-2012, 03:59 AM
Some of my users use their profile page URL as their website. So the & character displayed as & in the source page, and &uid=x in the front end (profile page) because MyBB uses the htmlspecialchars_uni() in the profile page (and postbit).
07-13-2012, 09:33 AM
Maybe you can "fix" it with template conditionals php shortcut code. But no sure what function to use and if it will be save to do it.
Or you can write a plugin to redirect from member.php?profile=X to member.php?action=profile&uid=X and tell your users to use that instead?
Or you can write a plugin to redirect from member.php?profile=X to member.php?action=profile&uid=X and tell your users to use that instead?
07-13-2012, 08:11 PM
(07-13-2012 09:33 AM)Sama34 Wrote: [ -> ]Or you can write a plugin to redirect from member.php?profile=X to member.php?action=profile&uid=X and tell your users to use that instead?No, the problem is that MyBB has a bug where it's double-escaping the user's website.
07-14-2012, 04:28 AM
And again, personally (only my personal opinion), I think it is better to use a regex to verify the user's website field, like what XThreads does if we create a textbox and assign a Text Mask Filter (URI Generic, URL or URL (HTTP/S)) to the textbox?
Right now, I can see this in the user's website field:
Right now, I can see this in the user's website field:
Code:
|
But maybe it is because I'm not familiar with SEO URL.
07-14-2012, 05:02 AM
haha
Well, yes, it is a "bug, but unless you want to report it and they consider it worth fixing, you need to do something from your end.
You can write a plugin to check users websites before saving from the usercp. IMO, this field should be a profile field but that is no related to this, but we could use RateU's plugins to use regex.
Well, yes, it is a "bug, but unless you want to report it and they consider it worth fixing, you need to do something from your end.
You can write a plugin to check users websites before saving from the usercp. IMO, this field should be a profile field but that is no related to this, but we could use RateU's plugins to use regex.
07-14-2012, 07:12 AM
I don't mind (personally) if the website field is in users table (although I prefer this as custom field). But I think it is a big bonus if MyBB adds more validation to it in the verify_website() function, and if it doesn't have any negative effect, do not htmlspecialchars() the value inside the escape_string() when saving to the db.
Because this is a default MyBB's field, maybe it is better if the above things is done by the default MyBB's userhandler.
But again, I don't know what a framework or a software should do to save a website/URL field.
Because this is a default MyBB's field, maybe it is better if the above things is done by the default MyBB's userhandler.
But again, I don't know what a framework or a software should do to save a website/URL field.
07-14-2012, 12:17 PM
In general, you shouldn't escape stuff in the DB - the DB should store raw unescaped data, which should be escaped when displayed to the user.
(exception if you wish to cache parsing)
(exception if you wish to cache parsing)