| ../irclogs/#mantishelp.2009-12-05.log | ||
| --- scribe started --- | 00:00 | |
| --- scribe started --- | 11:56 | |
| paulr_ | dhx_m | 13:41 |
|---|---|---|
| paulr_ | hi | 13:41 |
| paulr_ | :) | 13:41 |
| paulr_ | i've got some issues for you :P | 13:41 |
| dhx_m | paulr_: hi! :) | 13:42 |
| paulr_ | hmm | 13:42 |
| * paulr_ watches php crash | 13:42 | |
| dhx_m | and now it's my fault hey? :p | 13:43 |
| paulr_ | nah | 13:43 |
| paulr_ | right | 13:43 |
| paulr_ | xss issues | 13:43 |
| dhx_m | yep | 13:43 |
| dhx_m | from the other day when you weren't here: | 13:44 |
| dhx_m | dhx_m> "user_get_name should return a relatively safe username imo"... it shouldn't, as user_get_name isn't going to always be used for HTML output... we have email output, twitter output, SOAP output, etc | 13:44 |
| paulr_ | wow | 13:44 |
| paulr_ | just wow | 13:44 |
| paulr_ | ;) | 13:44 |
| dhx_m | to answer a concern from a few days ago :p | 13:44 |
| paulr_ | i was more meaning | 13:45 |
| paulr_ | a username should be plain characters | 13:45 |
| paulr_ | but ok | 13:45 |
| paulr_ | ok :( | 13:45 |
| paulr_ | let me pm you a xss url :P | 13:45 |
| dhx_m | nah we should allow UTF-8 characters | 13:45 |
| dhx_m | oh you found more? :o | 13:45 |
| paulr_ | no | 13:45 |
| paulr_ | old one | 13:45 |
| dhx_m | you may want Russian usernames, etc | 13:45 |
| paulr_ | which as you seem to want to fix them :P | 13:45 |
| CIA-21 | Mantisbt: hickseydr * r3363f9076326 /permalink_page.php: Fix #11260: Attribute injection/XSS in permalink_page.php | 14:11 |
| CIA-21 | Mantisbt: hickseydr master-1.2.x * r1740b99c46c6 /permalink_page.php: Fix #11260: Attribute injection/XSS in permalink_page.php | 14:11 |
| nuclear_eclipse | btw dhx_m, you should be using string_attribute() instead of string_display_line() when it's going into a attribute field of an HTML tag... | 14:45 |
| dhx_m | nuclear_eclipse: I thought about that, but string_attribute doesn't handle new lines? | 14:46 |
| dhx_m | nuclear_eclipse: btw thanks for fixing the anonymous login bug :D | 14:46 |
| nuclear_eclipse | it shouldn't have any reason to for a username? | 14:46 |
| dhx_m | right... but I was assuming the worst case data being provided to the HTML output layer | 14:47 |
| nuclear_eclipse | anyways, newlines in an HTML attribute is a non-issue IMO | 14:47 |
| nuclear_eclipse | however, string_display will not escape quotes, and you absolutely need that for something going into an attribute field | 14:48 |
| dhx_m | I just thought that someone could potentially use new-lines to trick users into thinking there are two links/buttons instead of one | 14:48 |
| dhx_m | it will escape double quotes (from my tests) | 14:49 |
| nuclear_eclipse | oh? | 14:49 |
| nuclear_eclipse | btw, a newline in an href ends the url afaik | 14:49 |
| nuclear_eclipse | and you could do echo '<a href="', string_attribute( $url ), '">', string_display_line( $url ), '</a>' | 14:50 |
| dhx_m | guess so | 14:50 |
| dhx_m | $t_string = string_html_specialchars( $t_string ); | 14:50 |
| nuclear_eclipse | which IMO would be more semantically correct | 14:50 |
| dhx_m | from MantisCoreFormatting.php | 14:50 |
| dhx_m | oh well, we'll be fixing all of this mess with the move to templating | 14:51 |
| dhx_m | if that ever happens | 14:51 |
| dhx_m | I know PHPTAL handles string sanitising for you (AFAIK) | 14:51 |
| dhx_m | anyway, gtg for now | 14:55 |
| dhx_m | will be around later | 14:55 |
| dhx_m | cya | 14:55 |
| paulr_ | WOW | 16:14 |
| * paulr_ smashes nuclear_eclipse with a brick | 16:14 | |
| beejeebus | does mantis support mail routing? | 19:52 |
| beejeebus | replying to a ticket via an email? | 19:52 |
| moto-moi | Not replying, but it can email the owner of the ticket after the ticket changes | 19:53 |
| moto-moi | But I don't think that is what you mean? | 19:53 |
| moto-moi | don't you mean something like OTRS? | 19:54 |
| beejeebus | moto-moi: right, i mean, an email is generated for a ticket, and the viewer of the email can reply to ticket-<id>@example.com, and it is automatically associated with ticket <id> | 19:54 |
| beejeebus | like eventum or RT etc | 19:54 |
| moto-moi | No, it can't do that :) | 19:54 |
| beejeebus | moto-moi: how pluggable is it? can that be written as a plugin? | 19:55 |
| moto-moi | I have never looked into that, so I wouldn't know, sorry :) | 19:55 |
| beejeebus | moto-moi: ok, thanks | 19:55 |
| CIA-21 | Mantisbt: s.mazeland * r964915c9db27 / (5 files in 2 dirs): Localisation updates from translatewiki.net (2009-12-05) | 20:19 |
| paulr_ | nuclear_eclipse: oi | 20:26 |
| paulr_ | dhx_m: sigh | 22:22 |
Generated by irclog2html.py