Posted by FreeFox on June 12, 2008 at 2:24pm
Jump to:
| Project: | Chatblock |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
Hi, we have several users complaining about + and & doesn't show up in the chatblock. The + just doesn't show up and the & drops all that was typed after it (including the &)
eg. "1 + 1 = 2"
result: "1 1 = 2"
eg. "a cat & a dog"
result: "a cat"
Can you please check this?
Thanks
Jan
Comments
#1
The chatblock uses the Drupal function 'check_plain' to filter user input. This prevents malicious users from using the chatblock to post malicious JavaScript through something called an XSS attack.
For security reasons this isn't going to change.
However when I get a chance, I'll take a closer look at the problem and see if I can duplicate it (which seems likely) and confirm that my suspicion above is correct.
Dave
#2
Oh another possibility is that the + and & symbol are reserved for use by Firefox (and Internet explorer) as special symbols. It may be that the user input has to be specially encoded so these symbols show up properly.
Dave
#3
Hi dwees, thanks for lookin at this issue.
The funny thing is that IE has no problems with the + and &, only firefox. In all other parts op de site (nodes, comments, sign-up, etc ... it works fine. So if it gets filtered out than only with Firefox.
btw, I read the post about the merger of chat modules. It would indeed be great to have only 1 or 2 modules but I would like your approach to be build in. That means: I like the block where all members can chat with eachother. I use it on several sites. Imagine game web sites where all members of a guild/clan can also chat with eachother on the site and not only in game ;)
I would be very happy if you could solve this.
A big chatblock fan.
Jan
#4
Yeah looked into this myself. I see the problem, it's definitely because of the filtering we are doing on the text. Since this filtering prevents much worse problems (like users escalating their privileges or running whatever JavaScript they want on your page).
So I'm setting this to won't fix. Sorry.
#5
Hi dwees, thank for looking into this. I understand what you say except for the fact that it works on IE so people using IE could still send arbitrary stuff through chatbox?
#6
Hrmm. That's a good question, maybe my analysis is incorrect, because I'm fairly certain filtering the user input should look the same in both browsers. I forgot that it worked fine in IE. I wonder if there are any other symbols which are 'lost' in Firefox?
#7
Hi Dwees, you were right, there is one more: <
So in ASC 0 - 127 the problem characters are "+" "&" and "<"
Hope this helps
Thanks
Jan
#8
My guess is that I need to encode the output before sending it back, but I don't want to end up everything, just the problem characters. If you keep track of a list, I'll figure out a string replacement technique that will replace the problem characters with their html entities.
Dave
#9
dwees was right, this is a filtering issue.Actually it is a problem with the current way the JS transmits the data (json encoding). It will be solved in the next (first) stable release (but only for D6 as the D5 branch will not be pursued in the foreseeable future).#10
Resolved with the latest dev snapshot (should be available from 12pm today).
#11
Automatically closed -- issue fixed for 2 weeks with no activity.