From 90a093fc5ff562530b37a4e033e6862eb70d7c13 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Thu, 22 Dec 2005 11:34:02 +0000 Subject: [PATCH] fix the html issue... git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@5369 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 3 ++- phpBB/includes/functions_post.php | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 6092b0cb87..f4a3592ddf 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -75,7 +75,8 @@ p,ul,td {font-size:10pt;}
  • [Fix] change truncation of username length in usercp_register.php - BFUK
  • [Fix] incorrect path to avatars in admin_users.php (Bug #667)
  • [Fix] fixed get_userdata to support correct sql escaping (non-mysql dbs) - jarnaez
    • -
  • [Sec] fixed XSS issue in IE within the url bbcode
    • +
  • [Sec] fixed XSS issue (only valid for Internet Explorer) within the url bbcode
    • +
  • [Sec] fixed XSS issue (only valid for Internet Explorer) if html tags are allowed and enabled
    • diff --git a/phpBB/includes/functions_post.php b/phpBB/includes/functions_post.php index ab3ae3bc43..a971e702a2 100644 --- a/phpBB/includes/functions_post.php +++ b/phpBB/includes/functions_post.php @@ -25,8 +25,8 @@ if (!defined('IN_PHPBB')) die('Hacking attempt'); } -$html_entities_match = array('#&(?!(\#[0-9]+;))#', '#<#', '#>#'); -$html_entities_replace = array('&', '<', '>'); +$html_entities_match = array('#&(?!(\#[0-9]+;))#', '#<#', '#>#', '#"#'); +$html_entities_replace = array('&', '<', '>', '"'); $unhtml_specialchars_match = array('#>#', '#<#', '#"#', '#&#'); $unhtml_specialchars_replace = array('>', '<', '"', '&');