Opened 7 years ago

Last modified 7 years ago

#31 new defect

Track down and squash strange character in searchsubs

Reported by: kdeugau Owned by:
Priority: trivial Milestone:
Version: Keywords:
Cc:

Description

$webvar{searchsubs} is legitimately set from two form elements, so that "turn it off" can be detected.

This apparently results in a strange character between the defined 'n' of the hidden form field and the 'y' for the checkbox:

n�y

nedit converts this to \ufffdy.

hexdump -C reports:

00000000  27 ef bf bd 79 27 0a                              |'...y'.|

This makes it troublesome to properly strip extra glop.

The current workaround will result in any glop maliciously or accidentally added to searchsubs that contains a 'y' or 'n' causing it to be enabled. This is suboptimal but mostly just annoying.

Change History (1)

comment:1 Changed 7 years ago by kdeugau

(In [176]) /trunk

Remove some more stale commented code
Remove redundant call to initialze $searchsubs
Security review (see #30)

  • set $webvar{page} a little earlier so we don't clutter the session with unusable data
  • tweak initialization of $searchsubs. Improved but will still behave a bit strangely if extra data is deliberately or accidentally added to $webvar{searchsubs} (see #31)
Note: See TracTickets for help on using tickets.