[geeklog-devel] [geeklog-cvs] Geeklog-1.x/public_html profiles.php, 1.54, 1.55
Joe Mucchiello
joe at ThrowingDice.com
Thu Feb 21 10:33:11 EST 2008
At 10:17 AM 2/21/2008, Michael Jervis wrote:
> > Ah, yes. So why not replace with spaces so the "subject" of the email
> > is the subject requested?
>
>Because a newline can not legitimately be submitted from an input
>type="text", nor would anyone try and insert one unless one was an
>evil h4x0r.
>
>(And that's what the code does elsewhere for sending the subject, so I
>just made the edit-re-display consistent with the version that would
>be sent to the person).
Well, copied code is always a system gremlin.
I figured out why I didn't notice it was an email subject--
+ $subject = htmlspecialchars (trim ($subject), ENT_QUOTES);
Why call htmlspecialchars on an email subject? I know it's copied
code. Doesn't mean the original code is correct.
Oh, and according to RFC2822 section 2.2.3, CRLF is allowed in a
subject as long as it is at the front of other white space.
----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com
More information about the geeklog-devel
mailing list