2.0.17 - smileys with quotes in code not displayed

Started by Shadow aok, October 12, 2020, 02:18:08 PM

Previous topic - Next topic

Shadow aok

Hello,

I created (successfully) a smiley with a quote in it's code, but SMF won't display it in posts, altough there's no error anywhere.

    Version(s) of SMF : 2.0.17
    Your Setup:
        Mods : Tapatalk SMF 2.0 Plugin, Happy Birthday, Simple Audio Video Embedder, Recount Member Posts, Birthday Posts, Add Favicon.ico Support, Simple Audio Video Embedder, Ohara YouTube Embed, Simple Announcement Mod, Spoiler BBCode, SMF 2.0.X - PHP 7.2+ Compatibility, SMF Multi Quote
        Theme : default
        Languages : english and french
        utf-8 : enabled
        caching level : 1 - memcached
    Server Software:
        nginx 1.18.0
        PHP 7.4
        mariaDB 8.0.21
    Where the Error Occurred
        No error in browser console,  SMF, php or nginx logs
    How to Reproduce this Error? : Create a smiley with a quote in it (e.g. [:carbon'r:7]). No issue at creation, and we can select the smiley, but the forum won't display it, only it's text will be shown in forum posts.

Arantor

It's not fixable without introducing a security hole.

Shadow aok


Arantor

The issue is that it gets saved with a conversion to its entity form along the way. Not doing this (as happens to :'( on install) means anyone with edit smileys (a non admin permission) could hijack an admin account by using it to XSS the admin account.

Double quote has a similar problem.

Shadow aok

I'd say we can forget the quote, it's better this way :)

Advertisement: