Strip HTML tags from page description

NamelessMC / Nameless

NamelessMC is a free, easy to use & powerful website software for your Minecraft server, which includes a large range of features.

https://namelessmc.com/

MIT License

597 stars 312 forks source link

Strip HTML tags from page description #3490

Closed samerton closed 4 months ago

Derkades commented 4 months ago

Why addslashes? Isn't that function specifically for PHP strings? I think htmlspecialchars() is the right function to use here.

samerton commented 4 months ago

Why addslashes? Isn't that function specifically for PHP strings? I think htmlspecialchars() is the right function to use here.

This is just the page description so it shouldn't have any HTML inside - we have already stripped HTML tags, now we need to ensure that quotation marks " are also escaped so that they do not interfere with the meta tags

Derkades commented 4 months ago

Still, addslashes is for PHP which means it for example escapes " to \" while htmlspecialchars (with the default flags including ENT_QUOTES) is meant for HTML which means it correctly escapes " to ". addslashes might coincidentally seem to work fine but it probably has subtle security holes. It's like using urlencode to escape for a SQL query. The addslashes documentation (and comments) warn about this.