Closed stacks closed 11 years ago
pbelmans
commented
11 years ago I tried reproducing this but I failed. There have been some modifications to the parsing process in the mean time, so maybe it got fixed. So please try to reproduce this, I might be making some wrong assumptions.
I did notice something strange: MathJax will try to parse things that look like TeX, regardless of them being contained in math delimiters.
stacks
commented
11 years ago Only happens with firefox (10.0.11 on gentoo linux). When I use chrome it works fine. It also happens on Seamonkey (2.14). But it may be something with my settings. I'll try nightly builds from mozilla tonight. (Just tried and the problem is still there.)
stacks
commented
11 years ago It seems that typing '&' in the textarea in firefox one gets '&' stored in the comment in the database. Then line 324
$comment = htmlspecialchars($comment);
in the function parse_comment in tag.php changes this to '&' in the comment output on the page.
pbelmans
commented
11 years ago The issue doesn't exist in an ancient Firefox 3.5.16, so it's hard for me to get what's going on.
The fact that htmlspecialchars is called at that point (because it should, we don't want any XSS going on) isn't really the problem. As far as I can tell some browsers really sends & to the server (otherwise it wouldn't be in the database like that, there's no preprocessing going on). I think applying htmlspecialchars_decode before sending stuff to the database isn't harmful, and might solve the problem.
stacks
commented
11 years ago OK, the problem is now gone (tested on firefox and seamonkey), closing
For an example see comment number 5 of our test site.