diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 6092b0cb87..f4a3592ddf 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -75,7 +75,8 @@ p,ul,td {font-size:10pt;}
  • [Fix] change truncation of username length in usercp_register.php - BFUK
  • [Fix] incorrect path to avatars in admin_users.php (Bug #667)
  • [Fix] fixed get_userdata to support correct sql escaping (non-mysql dbs) - jarnaez
    • -
  • [Sec] fixed XSS issue in IE within the url bbcode
    • +
  • [Sec] fixed XSS issue (only valid for Internet Explorer) within the url bbcode
    • +
  • [Sec] fixed XSS issue (only valid for Internet Explorer) if html tags are allowed and enabled
    • diff --git a/phpBB/includes/functions_post.php b/phpBB/includes/functions_post.php index ab3ae3bc43..a971e702a2 100644 --- a/phpBB/includes/functions_post.php +++ b/phpBB/includes/functions_post.php @@ -25,8 +25,8 @@ if (!defined('IN_PHPBB')) die('Hacking attempt'); } -$html_entities_match = array('#&(?!(\#[0-9]+;))#', '#<#', '#>#'); -$html_entities_replace = array('&', '<', '>'); +$html_entities_match = array('#&(?!(\#[0-9]+;))#', '#<#', '#>#', '#"#'); +$html_entities_replace = array('&', '<', '>', '"'); $unhtml_specialchars_match = array('#>#', '#<#', '#"#', '#&#'); $unhtml_specialchars_replace = array('>', '<', '"', '&');