FS#7968 - AUR comments strip email in contributor tag

Attached to Project: AUR web interface
Opened by Alex Heck (nesl247) - Thursday, 06 September 2007, 20:35 GMT
Last edited by Roman Kyrylych (Romashka) - Thursday, 04 October 2007, 17:16 GMT
Task Type Bug Report
Category Backend
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version 1.2.9
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

When commenting in the aur with something like this:

# Contributor: username <email@tld.com>

The <email@tld.com> gets striped. As can be seen here: http://aur.archlinux.org/packages.php?do_Details=1&ID=12838
This task depends upon

Closed by  Roman Kyrylych (Romashka)
Thursday, 04 October 2007, 17:16 GMT
Reason for closing:  Fixed
Comment by tardo (tardo) - Saturday, 08 September 2007, 03:32 GMT
Here's a patch to fix it. Brief explanation:

First, comments that are submitted and stored in the DB must be parsed by mysql_real_escape_string(). Before we do that, let's convert all HTML tags to their respective entities, which is done by htmlentities($comment, ENT_QUOTES). This way, when the comment is retrieved from the database, all we do is convert \n to <br /> and it's ready to be parsed.

FS #5128 and FS #7383 also get resolved.

I have also set up a test site where you can test the comments.
http://aur.nagi-fanboi.net/packages.php?do_Details=1&ID=1246
   incomplete-comment.patch (1.2 KiB)
Comment by tardo (tardo) - Saturday, 08 September 2007, 03:34 GMT
Would be nice if someone could verify that it comments aren't vulnerable to XSS/Injections.

This is of course, synced to the latest revision.
Comment by tardo (tardo) - Saturday, 08 September 2007, 03:36 GMT
forgot ENT_QUOTES.
   incomplete-comment.patch (1.2 KiB)
Comment by tardo (tardo) - Sunday, 09 September 2007, 00:11 GMT
Here's a better patch after talking it over with Thralas. Thanks!
   incomplete-comment.patch (0.5 KiB)

Loading...