PHPBB3-16630 - Preserve the text manipulation API

Discuss requests for comments/changes posted in the Issue Tracker for the development of phpBB. Current releases are 3.2/Rhea and 3.3/Proteus.
Post Reply
User avatar
JoshyPHP
Registered User
Posts: 378
Joined: Fri Jul 08, 2011 9:43 pm

PHPBB3-16630 - Preserve the text manipulation API

Post by JoshyPHP »

https://github.com/phpbb/phpbb/pull/6071/files

My apologies for the terseness. If anything's unclear, feel free to ping me and I'll develop.

phpBB 3.3.2 fixes a security issue labeled security-264. I don't have access to it and only became aware of it today. The commit that fixes it is there: https://github.com/phpbb/phpbb/commit/3 ... 1ccce1c72a

I gather that it's meant to fix strip_bbcode()'s behaviour with regards to HTML entities, specifically a code path that I personally wrote. I did not realize that strip_bbcode() was meant to be HTML-safe, that's why its return value was not HTML-safe. For anything posted or reparsed on phpBB >= 3.2, the function relies on the text_formatter.s9e.utils service which implements the phpbb\textformatter\utils_interface API. None of that API is meant to be HTML-safe.

The proposed merge request moves the HTML escaping out of the text_formatter.s9e.utils implementation and back to strip_bbcode() to restore the former's behaviour while keeping the latter safe to be used in HTML. I've added a comment to make it clear what "plain text" and "parsed text" refer to.
User avatar
3Di
Registered User
Posts: 873
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano (I) Frankfurt (D)
Contact:

Re: PHPBB3-16630 - Preserve the text manipulation API

Post by 3Di »

I am following this point carefully and thank you for your contribution 👍, on time as always I would say. We have many extensions that use your utilities, it's difficult to test them all now but I'll let you know in case of problems. For the moment I have applied your patch to my official downloads waiting to have time to install and work with them. At a first glance your patch it seems more than logical to me, IMO.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫
Post Reply