On Wed, 24 Jun 2009 07:46:01 am Richard Ellerbrock wrote: > The existing patch is correct - using htmlspecialchars will have the > effect of placing escaped stings in the database. It will also have > the effect of double escaping each time you edit a field. > > My patch replaces the display template method block() which does not > escape with the text() method which uses htmlspecialchars internally. > See /ipplan/layout/class.layout You are right, thanks for pointing this out.
> As for the length check. This was a potential, unrelated database > overflow I discovered during investigation of the xss issue - totally > unrelated. Could you elaborate on this? Could this cause any issues security wise? Cheers Steffen
signature.asc
Description: This is a digitally signed message part.