Re: yet more suggestions for .73...

On Sun, 11 May 2003, Luis M wrote:

> >Can you please give a very specific example what exactly you did to
> >discover this (including html/exttrans/plain settings, phpversion,
> >phpslash version, os version, browser, and a step-by-step regression)
> >Does this happen every time?  If so I'd like to fix this and get it out
> >pronto.
>
> I believe this is the same for all versions of phpslash since 0.62 up to
> 0.72rc1:
>
> 1. Go to the Admin section
> 2. Hit "new" to add a new story
> 3. Try to add a story that contains Perl code with hashes defined like:
> $myhas{td} . etc...
>

I have tried this with the current CVS (and current php-lib-stable cvs)
using both the nobody user / submission page and as a root user using the
story admin page and cannot replicate this behavior using extrans, html
or plaintext formats using Safari-b2.

Please, what versions of phpslash, phplib and php are you running?  Does
the above exmaple work exactly as you describe under your environment?
Can you take a screengrab of whhat you enter into the page and what the
preview looks like?  Can you send me the extact text that caused this?

> The {td} part of the hashes will mess up the article badly when previewing.
> In fact, the whole page gets mumble with all kinds of crazy things. What I
> do to fix that is adding spaces between the curly-braces.
>

Clearly that should not happen.

> I don't think this affects the server directly, nor have I try to inject any
> type of code to the database. In other words, I'm assuming this cannot be
> done and have not tried. In any case, only the users with Admin rights can
> add news to the site. So, nothing to worry (right?).
>

If this is a real bug, it may also affect the submission.php page...

> However, I believe that the stories (the text coming from the database to be
> displayed as stories) should not be parse as if it was a template or as if
> dynamic PHP code was coming from the database... That could create problems.
> (It creates problems for people who have sites publishing code, as I do :-)

The input stuff should clean() the text before it even gets to the
database.  the {} construct is also the same for phplib tempalte
plcasehoder, AFIK, things that look like {foo} get removed during parsing
by the template system and should be additionally fixed by the submission
and story classes.  Joe probably knows how this works off the top of his
head..

-n
-- 
------
nathan hruby
nathan-MSHXTcNGJzS8rjiVs5Nzzw@xxxxxxxxxxxxxxxx
------




-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com