marado
commented
10 years ago According to RFC 1035:
<character-string> is expressed in one or two ways: as a contiguous set of characters without interior spaces, or as a string beginning with a " and ending with a ". Inside a " delimited string any character can occur, except for a " itself, which must be quoted using \ (back slash).
So, my example was wrong: a TXT record saying this is an "example" needs to be inserted as "this is an \"example\"". Of course, this doesn't quite comply with what we have been doing right now: we have been accepting TXT records with interior spaces. But, just because servers are usually relaxed about our records it doesn't mean we shouldn't be strict generating them. So, my proposal:
1) accept any kind of input in a TXT field, but:
1.1 - if it starts with ", we need to validate it, checking if it is composed or not by a number of character-strings. I Mean, the record must be either something like "example one" or "example two" "can have more" "than one" "string";
1.2 - if it doesn't start with ", convert it to do so. I mean, entry would be turned into "entry", and another "entry" would be converted into "another" "entry";
2) validate all TXT results, only accept valid TXT records (I mean, records that comply with the RFC section I've quoted);
3) allways convert text2html the record when you're going to display it on the interface, but
4) escape the record when you're putting it on an input field.
bevhost
I noticed this on brzones.php, where we do, without any escaping, something like this:
The problem with this is that
$record['data'](specially in the case of TXT records) can have ruinous characters, like ". So, if we have a TXT record sayingthis is an "example", our HTML will be:Which is obviously wrong, and can even lead to data loss.