Blog Documentation Book a Demo
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Whole lotta escaping going on!

ramseyramsey
edited July 2005 in Vanilla 1.0 Help
I was testing the ability of Vanilla to display code examples (for use on a developer site), and so I tried using both BBCode and Markdown to achieve the proper affect. Vanilla doesn't yet support the BBCode [code] tag, and I looked in the BBCode.php code and found that not much of BBCode is supported at this point, so I turned to Markdown, which requires 4 spaces at the beginning of a line of preformatted code, so I did that.

It works well for preformatting the code, but the output I got looks like this:

<form action="POST">

So, it appears to be escaping the output of the left arrow bracket (<) twice. My first thought was that it may be escaping the output before saving to the database, which is not a good practice, but I've checked the database, and everything there is the raw input--great!

So, I took a look at the Markdown.php file and found the ProtectString() function, of which the only action it takes is to convert all instances of < to &lt;. However, it appears that there are other functions in the application that apply to the output after this is run, so when those functions (I guess they're something similar to htmlentities()) are applied, it converts the &lt; that Markdown created to &amp;lt; and then sends it to the browser.

I found a similar function in BBCode.php, as well.

When I comment out the line of code that does this in the ProtectString() function, all output appears as expected.

Comments

  • MarkMark Vanilla Staff
    edited July 2005
    Ahh yes. I did that in order to prevent html from rendering in markdown.
  • ramseyramsey
    But it's being properly escaped on output without that line of code.
  • MarkMark Vanilla Staff
    edited July 2005
    Yeah, and it's also not stopping you from posting tons of html, right? If that is the case, I'll come up with a proper fix for it. Just have to give it a think.
  • ramseyramsey
    If I place 4 spaces at the beginning of the line, it properly escapes the HTML when sending to the browser. Without the 4 spaces, it doesn't escape the HTML and sends it to the browser as HTML.
  • MarkMark Vanilla Staff
    edited July 2005
    Yeah - that's what I thought. See, Markdown was written under the impression that it would be the blog-owner type of person using it, and a blog owner will always want his blog to look correct. However, with forum software, it's just a user that will decide the format of comments, and so leaving markdown open to attack like that is a big no-no. So, I'll have to think about how to alter markdown so that it doesn't break when you format the html in the comments.
This discussion has been closed.