1 (edited by _arse 2004-08-22 19:32)

Topic: HTML Escape Characters

Whilst toying with HTML Escape characters in PunBB i found:

1
Having a # in your nickname appears to screw things up.
No immediate problems # nicknames can still be deleted my Admins.
The only problem i am able to find is # nicknames can't create posts

Bad request. The link you followed is incorrect or outdated.

2
Also, it is possible to register a nickname that appears to be exactly the same as one that is already registered using HTML Escape Characters. Whilst the 25 Chars limit prevents anyone from registering 'Administrator' it could create confusion and be used to scam / trick people.
Here's an example:

the username "Jack" is registered, we want to register the same nickname..so we register "Jack"(WRITTEN IN HTML ESCAPE CHARACTERS) whilst to us this looks mostly like garbage our web browser will interpret it as "Jack". However due to the above bug you will be unable to actually POST because that is impossible( i think ) with #'s in your nickname.

3
It is possible to get past the PunBB censorship by using HTML Escape characters. For example if we wanted to say "fack" on a forum where this was forbidden we could simply say "fack"(WRITTEN IN HTML ESCAPE CHARACTERS)


You can find more info about HTML Escape chars here: http://www.theukwebdesigncompany.com/ar … acters.php

You guys prolly already worked out you could solve all these problems by converting HTML Escape chars to normal chars smile

2

Re: HTML Escape Characters

OK i'm confused, did my web browser screw up and convert all my carefully typed out HTML Escape characters or did PunBB do that? neutral

Re: HTML Escape Characters

It probably did it when you edited the post. I saw them before you edited it...

4

Re: HTML Escape Characters

Ahh thanks, i've just postfixed everything that was written in HTML Escape Chars with "(WRITTEN IN HTML ESCAPE CHARACTERS)" because i'm too lazy to type all that out again :\

5 (edited by _arse 2004-08-22 19:55)

Re: HTML Escape Characters

Also: using:

& # 3 2 ;

Can get past register.php's attempts to stop multiple " "'s

Re: HTML Escape Characters

I'll review this for 1.2. Thanks for the heads up.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: HTML Escape Characters

Rickard here. Just testing.

As you can see, I am unable to replicate the problem with posting with a username containing a #. I don't know why you have experienced the problem _arse. The only thing that comes to mind is the fact that the you can't load the post form (in post.php and in viewtopic.php) with one user and then in another window login with a different user and try to post the form in the first window. The form is filled with a hidden element form_user that has to match that of the logged in user when the post is actually submitted. Could this be what happened to you?

Regarding HTML entities. The problem is that there is no good way of converting HTML entities to their respective characters. The only solution I know of is building two massive arrays and doing a search and replace on the text. That call to str_replace() will be very time consuming. Especially for longer posts. That is also the reason that no other forum software I know of do it. There are more problems. The reason PunBB doesn't escape the & in posts so that HTML entities can be displayed as the actual entity instead of the character it represents is related to Internet Explorer. If you try to post a piece of text in e.g. Russian to a form that sits on a page with a non-russian character set (e.g. iso-8859-1), IE will convert all the posted characters to HTML entities before posting them. Thus, HTML entities cannot be "allowed" because people wouldn't be able to post e.g. russian in these forums.

8 (edited by scottywz 2005-06-15 15:26)

Re: HTML Escape Characters

_arse wrote:

Whilst toying with HTML Escape characters in PunBB i found:

1
Having a # in your nickname appears to screw things up.
No immediate problems # nicknames can still be deleted my Admins.
The only problem i am able to find is # nicknames can't create posts

Bad request. The link you followed is incorrect or outdated.

2
Also, it is possible to register a nickname that appears to be exactly the same as one that is already registered using HTML Escape Characters. Whilst the 25 Chars limit prevents anyone from registering 'Administrator' it could create confusion and be used to scam / trick people.
Here's an example:

the username "Jack" is registered, we want to register the same nickname..so we register "Jack"(WRITTEN IN HTML ESCAPE CHARACTERS) whilst to us this looks mostly like garbage our web browser will interpret it as "Jack". However due to the above bug you will be unable to actually POST because that is impossible( i think ) with #'s in your nickname.

3
It is possible to get past the PunBB censorship by using HTML Escape characters. For example if we wanted to say "fack" on a forum where this was forbidden we could simply say "fack"(WRITTEN IN HTML ESCAPE CHARACTERS)

4
#hello# made one post, yet #hello#'s profile said that #hello# made three posts.

(Ctd.) _arse wrote:

You can find more info about HTML Escape chars here: http://www.theukwebdesigncompany.com/ar … acters.php

You guys prolly already worked out you could solve all these problems by converting HTML Escape chars to normal chars smile

Re: HTML Escape Characters

what do you mean, how do you know #hello# did not write more posts then delete them?

Re: HTML Escape Characters

Well, when you delete a post, your post count is reduced, isn't it?

Re: HTML Escape Characters

no

Re: HTML Escape Characters

Oh. I thought so.

Re: HTML Escape Characters

The post count is meant to reflect the number of posts you've made, not the number of posts actually left in the database.

"Programming is like sex: one mistake and you have to support it for the rest of your life."