Phpfox bug in parsing filter

I recently changed some links on a phpfox site that were posted with anchor tags and they didn't work. Upon investigation I found that my link http://xxxxclassofxx.com was changed to http://xxxxtitleofxx.com.

This was caused by the php code in the file /include/library/phpfox/parse/input.class.php around line 978:

            $sTxt = preg_replace('#'.$sRemove.'#i', 'title', $sTxt);

The purpose of this code is to not allow website users to use html code that would disrupt the style of the webpage. Unfortunately, they did not allow for use of these strings in ways other than as tag attributes.

This can be considered a bug and can be fixed by changing the $_aEvilEvents array slightly. This is defined around line 26 and if you go down to around line 90 you will see entries for class and style. Notice that there is no space before or after these entries. Because class and style used as attributes require a leading space whereas urls do not use spaces, by inserting a space before class and style should fix this issue.

Before:

        'class',
        'style'

After:

        ' class',
        ' style'

web

data66DuCarlion

Comments

  • Note: This solution can allow evil events to still be posted. a better solution would be to change the original code from:

    $sTxt = preg_replace('#'.$sRemove.'#i', 'title', $sTxt);
    

    To:

    $sTxt = preg_replace('#'.$sRemove.'\s*\=#i', 'title', $sTxt);
    

    This will test for the required '=' ignoring whitespaces.

    data66DuCarlion
  • Thanks @Webwolf is this v3 or v4 or both?

Sign In or Register to comment.