View Single Post
  #13  
Old 16 Jan 2020, 08:43
postcd postcd is offline
 
Join Date: Feb 2012
Originally Posted by Paul M View Post
Do not comment that line out. You are opening an XSS security hole by removing the htmlspecialchars call.
In the file /includes/class_bbcode.php i found two lines:
$text = htmlspecialchars_uni(vbchop($tmp, 36) . '...' . substr($tmp, -14));

so i replaced both by:
$text = htmlspecialchars_uni($text);

and it seems to work (no link shortenings). Is that better regarding security?
https://www.w3schools.com/PHP/func_s...ecialchars.asp

Last edited by postcd; 16 Jan 2020 at 08:49.
Reply With Quote