PM titles

If you use an apostrophe in a PM title, then when the recipeient replies, the title gets cut to the letter before the apostrophe. For example, if I title a PM "Here's the thing", the reply will say "RE: Here"

Not sure, but this smells like a code injection risk. If anything after the apostroph does not make into the database field, it might be confused with a legal database command.

Oh little Bobby Tables....

Quote: Nareed

If you use an apostrophe in a PM title, then when the recipeient replies, the title gets cut to the letter before the apostrophe. For example, if I title a PM "Here's the thing", the reply will say "RE: Here"

The others are right. It's because the PM's (like all the messages here) are stored in a database, and when inserting data in a MySQL database (as is in use here) you separate the bits you want inserted with single tick apostrophes. So, if one of those characters appears in the bit you want inserted the database thinks that's the end of that bit. There are ways around it of course, you* can "escape" the offending characters, which basically strips them of any special meaning.

On the bright side DT doesn't have that problem so if the person you want to PM is over there you can use that system and if JB did it over there I'm sure he can apply it here, so maybe it's just a matter of bring it to his attention.

*By "you" I meant the programmer, but you might even be able to do it, I'm not sure how JB is sanitizing his input. If you'd like to try, make your PM title "Here/'s the thing." and see if that works for you.

Quote: MonkeyMonkey

If you'd like to try, make your PM title "Here/'s the thing." and see if that works for you.

That/s 'so r:idi;icu}l[o&uÑs!

The system definitely sanitizes all input before inserting anything into the database, but it does seem to be related to that since it's an apostrophe. I'll look into it.

Here was the problem: I was using single-quotes (i.e. apostrophes) in the HTML which defined the subject text box's starting value.

In other words, the HTML looked like this:

<input value='Here's an example'>

So the apostrophe in "Here's" terminated the string and the rest was ignored by your browser. It is fixed now, using double-quotes as it should (and double quotes are already escaped, so the same problem will not happen if there is a double-quote in the subject).

So, rest assured that no matter what you put in a text box on this site, I am the only one who will be wiping out 3 years of data in 2 seconds flat.

Thanks!

Quote: JB

... I am the only one who will be wiping out 3 years of data in 2 seconds flat.

Hadn't you learned that lesson already?

Quote: JB

<input value='Here's an example'>

So it was actually a crosssite scripting vulnerability. If the PM title were something like Title'><script> {evil stuff} </script><input value='Title
the script would have run in the sites browser context, and could have been used to read the password from this site (if it is in a cookie).

The exploit-proof solution of that problem is *not* changing the ' to an " delimiter in the HTML code, it is to properly escape the database plaintext fields to the HTML context when sending it to the client. This way you also get rid of any other attack of this type you didn't checked yet.

Quote: MangoJ

So it was actually a crosssite scripting vulnerability. If the PM title were something like Title'><script> {evil stuff} </script><input value='Title
the script would have run in the sites browser context, and could have been used to read the password from this site (if it is in a cookie).

The exploit-proof solution of that problem is *not* changing the ' to an " delimiter in the HTML code, it is to properly escape the database plaintext fields to the HTML context when sending it to the client. This way you also get rid of any other attack of this type you didn't checked yet.

First, HTML entities are already escaped, so your example would look like this:

Title'&gt;&lt;script&gt; {evil stuff} &lt;/script&gt;&lt;input value='Title

Second, you are incorrect regarding which quote character to use. Double-quotes in content escape to &quot; whereas single-quotes do not escape at all, therefore using double-quotes to surround escaped content inside a tag is the only correct way to go about it.