[geeklog-devel] [geeklog-cvs] Geeklog-1.x/public_html profiles.php, 1.54, 1.55

Joe Mucchiello joe at ThrowingDice.com
Thu Feb 21 10:33:11 EST 2008


At 10:17 AM 2/21/2008, Michael Jervis wrote:
> >  Ah, yes. So why not replace with spaces so the "subject" of the email
> >  is the subject requested?
>
>Because a newline can not legitimately be submitted from an input
>type="text", nor would anyone try and insert one unless one was an
>evil h4x0r.
>
>(And that's what the code does elsewhere for sending the subject, so I
>just made the edit-re-display consistent with the version that would
>be sent to the person).

Well, copied code is always a system gremlin.

I figured out why I didn't notice it was an email subject--

+             $subject = htmlspecialchars (trim ($subject), ENT_QUOTES);

Why call htmlspecialchars on an email subject? I know it's copied 
code. Doesn't mean the original code is correct.

Oh, and according to RFC2822 section 2.2.3, CRLF is allowed in a 
subject as long as it is at the front of other white space.


----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com 




More information about the geeklog-devel mailing list