PHPBB3-16630 - Preserve the text manipulation API

Discuss requests for comments/changes posted in the Issue Tracker for the development of phpBB. Current releases are 3.2/Rhea and 3.3/Proteus.
Post Reply
User avatar
JoshyPHP
Registered User
Posts: 381
Joined: Fri Jul 08, 2011 9:43 pm

PHPBB3-16630 - Preserve the text manipulation API

Post by JoshyPHP »

https://github.com/phpbb/phpbb/pull/6071/files

My apologies for the terseness. If anything's unclear, feel free to ping me and I'll develop.

phpBB 3.3.2 fixes a security issue labeled security-264. I don't have access to it and only became aware of it today. The commit that fixes it is there: https://github.com/phpbb/phpbb/commit/3 ... 1ccce1c72a

I gather that it's meant to fix strip_bbcode()'s behaviour with regards to HTML entities, specifically a code path that I personally wrote. I did not realize that strip_bbcode() was meant to be HTML-safe, that's why its return value was not HTML-safe. For anything posted or reparsed on phpBB >= 3.2, the function relies on the text_formatter.s9e.utils service which implements the phpbb\textformatter\utils_interface API. None of that API is meant to be HTML-safe.

The proposed merge request moves the HTML escaping out of the text_formatter.s9e.utils implementation and back to strip_bbcode() to restore the former's behaviour while keeping the latter safe to be used in HTML. I've added a comment to make it clear what "plain text" and "parsed text" refer to.

User avatar
3Di
Registered User
Posts: 951
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano 🇮🇹 Frankfurt 🇩🇪
Contact:

Re: PHPBB3-16630 - Preserve the text manipulation API

Post by 3Di »

I am following this point carefully and thank you for your contribution 👍, on time as always I would say. We have many extensions that use your utilities, it's difficult to test them all now but I'll let you know in case of problems. For the moment I have applied your patch to my official downloads waiting to have time to install and work with them. At a first glance your patch it seems more than logical to me, IMO.
🆓 Free support for our extensions also provided here: phpBB Studio
🚀 Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades

Post Reply