[geeklog-devel] [geeklog-cvs] Geeklog-1.x/public_html profiles.php, 1.54, 1.55
Michael Jervis
mjervis at gmail.com
Thu Feb 21 10:39:05 EST 2008
> >Because a newline can not legitimately be submitted from an input
> >type="text", nor would anyone try and insert one unless one was an
> >evil h4x0r.
This still stands, it can only (without resorting to super-human
levels of asshat) have come from malicious input.
> I figured out why I didn't notice it was an email subject--
>
> + $subject = htmlspecialchars (trim ($subject), ENT_QUOTES);
>
> Why call htmlspecialchars on an email subject? I know it's copied
> code. Doesn't mean the original code is correct.
Because we don't want an XSS attack to be made possible by crafting a
URL that opens the email user screen in "redisplay" mode with meanness
in place.
> Oh, and according to RFC2822 section 2.2.3, CRLF is allowed in a
> subject as long as it is at the front of other white space.
You have misread the RFC. The RFC permits you to insert CRLF's into
the subject for display provided it's at an appropriate whitespace
juncture to allow for display on width restricted systems:
Each header field is logically a single line of characters comprising
the field name, the colon, and the field body. For convenience
however, and to deal with the 998/78 character limitations per line,
the field body portion of a header field can be split into a multiple
line representation; this is called "folding". The general rule is
Resnick Standards Track [Page 7]
RFC 2822 Internet Message Format April 2001
that wherever this standard allows for folding white space (not
simply WSP characters), a CRLF may be inserted before any WSP. For
example, the header field:
Subject: This is a test
can be represented as:
Subject: This
is a test
Note: Though structured field bodies are defined in such a way that
folding can take place between many of the lexical tokens (and even
within some of the lexical tokens), folding SHOULD be limited to
placing the CRLF at higher-level syntactic breaks. For instance, if
a field body is defined as comma-separated values, it is recommended
that folding occur after the comma separating the structured items in
preference to other places where the field could be folded, even if
it is allowed elsewhere.
The process of moving from this folded multiple-line representation
of a header field to its single line representation is called
"unfolding". Unfolding is accomplished by simply removing any CRLF
that is immediately followed by WSP. Each header field should be
treated in its unfolded form for further syntactic and semantic
evaluation.
More information about the geeklog-devel
mailing list