Bug with special chars after last security patch

Bernard · 06.06.2005, 13:07

hi !

i applied the last secrity patch and have the following issue. mambo does not convert any special charachters to html-codes anymore.

before i was able to paste content from a croatian site and had all the croatian characters in my iso-8859-1 site coded as html chars. that does not work anymore when applying the patch or using mambo 4.5.2.2.

Example Text taken from www.iskon.hr (to see the special characters that i mean):

"Studija je pokazala da većini pušača treba nekoliko pokušaja odvikavanja od te navike prije nego što potpuno prestanu pušiti, tvrdi Walter Farke iz Njemačkog centra za ovisnosti . "

Should be in html (it was like this in mambo before the security patch):

&quot;Studija je pokazala da ve&#263;ini puša&#269;a treba nekoliko
pokušaja odvikavanja od te navike prije nego što potpuno prestanu pušiti,
tvrdi Walter Farke iz Njema&#269;kog centra za ovisnosti . &quot;

Anyone can help ?

Thanx in forward

indy68 · 10.06.2005, 00:18

I've done the same patch and noticed when new content is added, html-code is deleted from the content.
example : <a href="...">{mosimage}</a> is just {mosimage} after saving.
I guess this is the same problem

indy68 · 14.06.2005, 17:30

I've been looking into this a little further. It seems to be an php-input-filter-class that has been inplemented with this patch that is causing a lot of mischief.

This class is intended to make mambo more secure by preventing users to input "malicious" code into the content.

Although I can understand this COULD be a security issue for website with a large number of contributing users, my current implementation of mambo is for sites with between 1 and 20 users.

The bottom line is that "richer" content (like the use of javascript) is no longer possible in Mambo 4.5.2.2 and existing content will be stripped (=defaced) when it's saved after installation of the patch.

Yet this richer content is neccesary for my websites as it adds functionality to it that Mambo can not. I understand that mambots, components or modules would be the better (safe) solution to this problem. Unfortunately these bots, modules or components are available yet.

As there is no way to disable this filter or to define a set of trusted users (like the backend users), I've decided to wait with this 4.5.2.2 patch and stick with the older versions, until I find a way to install it without the input-filter.

You can test the effects of the php-input-filter that was used here : http://cyberai.com/inputfilter/index.php

If you use this string : <a href="javascript:openIT(test.jpg')"><img src="test.jpg" width="72" height="54" hspace="6" alt="click for bigger photo" title="click for bigger photo" border="0" /></a>,
you will see not a lot is left after the execution ...

indy68 · 15.06.2005, 12:41

Security patch 4.5.2.3 should correct this problem.