htmlspecialchars? doesn't accept <= symbol in notes

tlovie

Not sure about where to look to fix this, but when I try to post notes, or reply to tickets, areas after

Many thanks,

tlovie

found it

I think I found the area to look at, but I don't understand completely what's going on here.

in class.format.php

function striptags($string) {

return strip_tags(html_entity_decode($string)); //strip all tags ...no mercy!

why is this necessary.... can someone explain this to me?

peter

We strip out tags to avoid stored XSS injections. The ideal solution is to filter inputs and weed out "bad" parts, not easy at all, but it's the approach we plan on taking with upcoming version.

tlovie

XSS injections?

In that function striptags, I did the probably not recommended modification to not strip the tags and just return the raw string (which I won't even post so that it doesn't accidentally make it into someone else's install).

This fixed my problem of being able to post certain code snips in and have it not think that

I wanted to understand what my vulnerability is, and I posted something that I found on google, but it doesn't appear to have any ill effects. I just displays what was posted in.

by the way.... kudos to all the developers of this package, I've been looking through code trying to find some things, and it's really well designed and thought out.

RingoCarr

tlovie - Are you able to share with me via PM what modifications you made to get this to work for you?

Jbodman

i too would like the solution to this i am using it as an abuse ticket system for my irc network and when people paste logs from the mirc client the nicks arn't showing up