[Rejected] Sanitizing User Profiles
#10
Documentation of specific issues aside, changes like this in minor point releases should be expected - plugins, themes or custom modifications for 1.6 or earlier branches in general don't go together with 1.8 code.

Even if the double escaping problem is taken care of while restoring escaping on input, it would still go against best practices and be another exception to the rule (there are some places where HTML is being escaped before saving, as you point out). The goal is to have better code with fewer inconsistencies (and indeed, better documentation) so problems like yours don't happen.

(2018-04-27, 07:48 PM)frostschutz Wrote: Does the new template engine for MyBB 1.9 have any built-in sanitization feature? Most of the time (say, if you are not parsing bbcode, or well put templates inside templates I guess), the template should be the sole authority on HTML structure and all $vars should just be content/strings so the template engine could handle sanitization centrally rather than that garden variety of htmlspecialchars strewed all over everywhere.

All variables will be escaped by default, unless the raw filter is applied.
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply


Messages In This Thread
Sanitizing User Profiles - by labrocca - 2018-04-26, 06:13 PM
RE: Sanitizing User Profiles - by Devilshakerz - 2018-04-26, 07:40 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-26, 08:21 PM
RE: Sanitizing User Profiles - by Euan T - 2018-04-26, 09:42 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-26, 10:20 PM
RE: Sanitizing User Profiles - by frostschutz - 2018-04-26, 11:01 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-27, 05:54 PM
RE: Sanitizing User Profiles - by frostschutz - 2018-04-27, 07:48 PM
RE: Sanitizing User Profiles - by Euan T - 2018-04-27, 06:52 PM
RE: Sanitizing User Profiles - by Devilshakerz - 2018-04-27, 08:12 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-27, 08:23 PM
RE: Sanitizing User Profiles - by Omar G. - 2018-04-28, 06:44 AM
RE: Sanitizing User Profiles - by labrocca - 2018-04-28, 02:41 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)